Surveillance by Intelligence Services – Fundamental Rights Safeguards And

Home , Heeresnachrichtenamt, Joint Sigint Cyber Unit, Mass surveillance

FREEDOMS Surveillance by by Surveillance intelligence services: intelligence services: and remedies in the EU and remedies in Mapping Member States’ legal frameworks Mapping Member States’ fundamental rights safeguards safeguards rights fundamental

FRA Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU This report addresses matters related to the respect for private and family life (Article 7), the protection of personal data (Article 8) and the right to an effective remedy and a fair trial (Article 47) falling under Titles II ‘Freedoms’ and VI ‘Justice’ of the Charter of Fundamental Rights of the European Union.

Europe Direct is a service to help you find answers to your questions about the European Union.

Freephone number (*): 00 800 6 7 8 9 10 11

(*) The information given is free, as are most calls (though some operators, phone boxes or hotels may charge you).

Photo (cover & inside): © Shutterstock

More information on the European Union is available on the Internet (http://europa.eu).

FRA – European Union Agency for Fundamental Rights Schwarzenbergplatz 11 – 1040 Vienna – Austria Tel. +43 158030-0 – Fax +43 158030-699 fra.europa.eu – [email protected]

Luxembourg: Publications Office of the European Union, 2015

Paper: 978-92-9491-225-1 10.2811/85028 TK-04-16-020-EN-C PDF: 978-92-9491-224-4 10.2811/009038 TK-04-16-020-EN-N

Reproduction is authorised, provided the source is acknowledged.

Printed in Belgium

Printed on process chlorine-free recycled paper (PCF) Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

Mapping Member States’ legal frameworks

Foreword

Protecting the public from genuine threats to security and safeguarding fundamental rights involves a delicate balance, and has become a particularly complex challenge in recent years. Terror attacks worldwide have triggered broad measures allowing intelligence services to cast ever-wider nets in the hope of preventing further violence. At the same time, the digital age has produced technological innovations facilitating large-scale communications data monitoring – which could easily be abused.

These developments affect a variety of fundamental rights protected by European Union (EU) law, particularly the rights to privacy and data protection – enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the Euro- pean Union, the EU treaties and EU directives.

The Snowden revelations, which uncovered extensive and indiscriminate surveillance efforts worldwide, highlight that violations of these rights are not merely a theoretical concern. The sheer magnitude of the uncovered intelligence activity has prompted disquiet and underscored the importance of maintaining effective mechanisms to help prevent fundamental rights encroachments. The European Parliament responded with a resolution which, among others, calls on the European Union Agency for Fundamental Rights to research thoroughly fundamental rights protection in the context of surveillance, in particular in terms of available remedies.

This report – which constitutes the first part of FRA’s response to this request – aims to support the adoption and meaningful implementation of oversight mechanisms in the EU and its Member States. It does so by analysing the legal frameworks on surveillance in place in EU Member States, focusing on so-called ‘mass surveillance’, which carries a particularly high potential for abuse. The report does not assess the implementation of the respective laws; instead, it maps the relevant legal frameworks in the Member States. It also details oversight mechanisms introduced across the EU, outlines the work of entities tasked with overseeing surveillance measures, and presents the various remedies available to individuals seeking to challenge such intelligence activities.

The research findings presented in this report demonstrate the complex considerations involved in safeguarding fundamental rights in the context of surveillance. Finding a balance between national security protection and respect for fundamental rights is a challenge that requires thorough and candid discussion. This report contributes to that discussion.

Constantinos Manolopoulos Director a. i.

3 Country codes

Code EU Member State

AT Austria BE Belgium BG Bulgaria CY Cyprus CZ Czech Republic DE Germany DK Denmark EE Estonia EL Greece ES Spain FI Finland FR France HR Croatia HU Hungary IE Ireland IT Italy LT Lithuania LU Luxembourg LV Latvia MT Malta NL Netherlands PL Poland PT Portugal RO Romania SE Sweden SK Slovakia SI Slovenia UK United Kingdom

4 Contents

FOREWORD �� 3

INTRODUCTION �� 7

1 INTELLIGENCE SERVICES AND SURVEILLANCE LAWS �� 13 1.1. Intelligence services �� 13 1.2. Surveillance measures �� 15 1.3. Member States’ laws on surveillance �� 18 FRA key findings �� 27 2 OVERSIGHT OF INTELLIGENCE SERVICES �� 29 2.1. Executive control �� 32 2.2. Parliamentary oversight �� 34 2.3. Expert oversight �� 41 2.4. Approval and review of surveillance measures �� 51 FRA key findings �� 57 3 REMEDIES �� 59 3.1. A precondition: obligation to inform and the right to access �� 61 3.2. Judicial remedies �� 66 3.3. Non-judicial remedies: independence, mandate and powers �� 70 FRA key findings �� 75 CONCLUSIONS �� 77

REFERENCES �� 79

CASE LAW INDEX �� 86

LEGAL INSTRUMENTS INDEX �� 87

ANNEX: OVERVIEW OF SECURITY AND INTELLIGENCE SERVICES IN THE EU‑28 �� 93

List of figures and tables Figure 1: A conceptual model of signals intelligence �� 16 Figure 2: Intelligence services’ accountability mechanisms �� 31 Figure 3: Forms of control exercised over the intelligence services by the executive across the EU-28 �� 33 Figure 4: Specialised expert bodies and DPAs across the EU-28 �� 50 Figure 5: Remedial avenues at the national level �� 60 Figure 6: Types of national oversight bodies with powers to hear individual complaints in the context of surveillance, by EU Member State �� 73

Table 1: Categories of powers exercised by the parliamentary committees as established in law �� 36 Table 2: Expert bodies in charge of overseeing surveillance, EU-28 �� 42 Table 3: DPAs’ powers over national intelligence services, EU-28 �� 49 Table 4: Prior approval of targeted surveillance measures, EU-28 �� 52 Table 5: Approval of signals intelligence in France, Germany, the Netherlands, Sweden and the United Kingdom �� 55

Introduction

Recent revelations of mass surveillance underscore challenges to the legality of the programmes, took the the importance of mechanisms that help prevent approach of hearing cases on the basis of hypothetical fundamental rights violations in the context of intelli- facts closely resembling those alleged by the media.7 gence activities. This FRA report aims to evaluate such For the Austrian Federal Agency for State Protection mechanisms in place across the European Union (EU) and Counter Terrorism (BVT), the Snowden revelations by describing the current legal framework related to represented a “paradigm shift”: “Up until a few years surveillance in the 28 EU Member States. The report ago, espionage was largely directed at state or busi- first outlines how intelligence services are organised, ness secrets, and not, for the most part, at people’s describes the various forms surveillance measures can privacy, which can now be interfered with extensively take and presents Member States’ laws on surveillance. by intelligence services since they possess the neces- It then details oversight mechanisms introduced across sary technical resources to do so”. 8 the EU, outlines the work of entities set up thereunder, and presents various remedies available to individuals The Snowden revelations were not the first to hint at seeking to challenge surveillance efforts. The report the existence of programmes of large-scale commu- does not assess the implementation of the respective nication surveillance set up in the aftermath of the laws, but maps current legal frameworks. In addition, 11 September 2001 attacks.9 But the magnitude of the it provides an overview of relevant fundamental rights revelations was unprecedented, potentially affecting standards, focusing on the rights to privacy and data the entire world. The revelations triggered an array protection. of reactions.10 In the intelligence community, and in particular among the specialised bodies in charge of overseeing the work of intelligence services, dedicated Background inquiries were conducted.11 The European Union reacted strongly. The European Commission (EC), the Council of In June 2013, media worldwide began publishing the the European Union and the European Parliament (EP) ‘Snowden documents’, describing in detail several sur- reported on the revelations, expressing concern about veillance programmes being carried out, including by mass surveillance programmes, seeking clarification the United States’ National Security Agency (NSA) and from US authorities, and working on “rebuilding trust” by the United Kingdom’s Government Communications in light of the damage created by the revelations.12 Headquarters (GCHQ). These brought to light the existence of extensive global surveillance. Details of these On 12 March 2014, the EP adopted a resolution on the programmes, which set up a global system of digital US NSA surveillance programme, surveillance bodies in data interception and collection, have been widely various Member States and their impact on EU citizens’ publicised1 and critically assessed.2 Neither the US nor fundamental rights, and transatlantic cooperation in the British authorities questioned the authenticity of Justice and Home Affairs (the Resolution).13 The reso- the revelations,3 and in some cases confirmed them.4 lution drew on the in-depth inquiry that the EP tasked However, the media’s interpretation of the programmes the Civil Liberties, Justice and Home Affairs Committee was sometimes contested – for example, by the UK (LIBE) to conduct during the second half of 2013, shortly Intelligence and Security Committee of Parliament 5 and academia.6 Since most of the Snowden revelations have not been recognised by the British govern- 7 United Kingdom, Investigatory Powers Tribunal (2014/2015). ment, the Investigatory Powers Tribunal, in hearing The UK government adopted, for security reasons, a general policy of neither confirming nor denying allegations made in respect of surveillance activities in other cases. See 1 See European Parliament, Committee on Civil Liberties, also ECtHR, Liberty and Others v. the United Kingdom, Justice and Home Affairs (2013a); European Union No. 58243/00, 1 July 2008, para. 47. Agency for Fundamental Rights (FRA) (2014a); PACE, 8 Austria, Federal Agency for State Protection Committee on Legal Affairs and Human Rights (2015a); and Counter Terrorism (Bundesamt für Verfassungsschutz Vermeulen, M. (2014). und Terrorismusbekämpfung) (2014), p .57. 2 See, for example, France, Urvoas, J.-J., Parliamentary 9 See, for example, European Parliament (2001); Delegation on Intelligence (2014), p. 129 and following. Chesterman, S. (2011); Lowenthal, M. (2015), p. 124. 3 See Belgium, Standing Intelligence Agencies Review 10 Wright, D. and Kreissl, R. (2015). Committee (Standing Committee I) (2014), p. 135. The 11 See, for example, Germany, Federal Parliament Belgian oversight body has not yet found any indication (2013), p. 10 and following; Italy, COPASIR (2014), p. 18 and that the slides revealed were not authentic, and would following; Belgium, Standing Committee I (2014), p. 132 and tend to conclude that they are truthful. See also Standing following; Belgium, Standing Committee I (2015), p. 8 and Committee I (2015), p. 11. following, pp.67–68, and its recommendations, p. 115 and 4 The Guardian (2013). following; The Netherlands, CTIVD (2014a), p. 8 and 5 See United Kingdom, Intelligence and Security Committee following. of Parliament (2013). 12 FRA (2014a), p. 81 and following; FRA (2015). 6 Cayford, M. et al., P. H. A. J. M. (2015), p. 646. 13 European Parliament (2014).

7 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

after the revelations on mass surveillance were pub- This report covers the work of intelligence services. lished in the press.14 It does not address the obligations of commercial entities which, willingly or not, provide intelligence The wide-reaching resolution launched a “European services with the raw data that constitute Signals Digital Habeas Corpus”, aimed at protecting fundamen- Intelligence (SIGINT), and are otherwise involved in tal rights in a digital age while focusing on eight key the implementation of the surveillance programmes.16 actions. In this context, the EP called on the EU Agency The private sector’s role in surveillance requires a sepa- for Fundamental Rights (FRA) “to undertake in-depth rate study. research on the protection of fundamental rights in the context of surveillance, and in particular on the cur- While the premise of this report is the existence of an rent legal situation of EU citizens with regard to the interference, since the “secret monitoring of communi- judicial remedies available to them in relation to those cations” interferes with privacy rights from a fundamen- practices”.15 tal rights point of view,17 the report focuses on analysing the legal safeguards in place in the EU Member States’ legal frameworks, and therefore on their approaches Scope of the analysis to upholding fundamental rights.

This report constitutes the first step of FRA’s response “Assuming therefore that there remains a legal right to the EP request. It provides an overview of the to respect for the privacy of digital communications EU Member States’ legal frameworks regarding sur- (and this cannot be disputed (see General Assembly veillance. FRA will further consolidate its legal findings Resolution 68/167)), the adoption of mass surveillance with fieldwork research providing data on the day-to- technology undoubtedly impinges on the very essence of that right.” day implementation of the legal frameworks. A socio- legal report based on an empirical study, to be published UN, Human Rights Council, Emmerson, B. (2014), para. 18 at a later stage, will expand on the findings presented here. The report’s analysis of EU Member States’ legal frameworks tries to keep law enforcement and intelligence While the EP requested the FRA to study the impact of services separate. By doing so, the report excludes the ‘surveillance’ on fundamental rights, given the context work of law enforcement from its scope, while recog- in which the resolution was drafted, it is clear that ‘mass nising that making this division is not always easy. As surveillance’ is the main focus of the Parliament’s cur- stated by Chesterman, “Governments remain conflicted rent work. During the data collection phase, FRA used as to the appropriate manner of dealing with alleged the Parliament’s definition to delineate the scope of terrorists, the imperative to detect and prevent ter- Franet’s research. The EP resolution refers to rorism will lead to ever greater cooperation between different parts of government”.18 The EP resolution rec- “far-reaching, complex and highly techno- ognises this and called on the Europol Joint Supervi- logically advanced systems designed by sory Body (JSB) to inspect whether information and US and some Member States’ intelligence personal data shared with Europol have been lawfully services to collect, store and analyse com- acquired by national authorities, particularly if the data munication data, including content data, were initially acquired by intelligence services in the EU location data and metadata of all citizens or a third country.19 around the world, on an unprecedented scale and in an indiscriminate and non- The Snowden revelations have also shed light on coop- suspicion-based manner” (Paragaph 1). eration between intelligence services. This issue, important for the oversight of intelligence services’ activities, This definition encompasses two essential aspects: first, has been addressed by the EP resolution (Paragraph 22), a reference to a collection technique, and second, the distinction between targeted and untargeted collection.

The report does not analyse the surveillance techniques themselves, but rather the legal frameworks that enable these techniques. For Member States that carry out signals intelligence, the focus of the analysis is on this capacity, and not on other intrusive capabilities 16 See Bigo, D. et al. (2013), p. 41. the services may have (such as wiretapping). 17 ECtHR, Weber and Saravia v. Germany, No. 54934/00, 29 June 2006, para. 78. 18 See Chesterman, S. (2011), p. 237. 14 See FRA (2014a). 19 European Parliament (2014), para. 84; Europol Joint 15 European Parliament (2014), paras. 132 and 35. Supervisory Body (2014).

8 Introduction

by oversight bodies,20 by the Venice Commission,21 and A fundamental right must be properly safeguarded to by academia.22 This aspect, however, proved impossible be effectively exercised. This report analyses, as per the to analyse in a comparative study, since, in the great EP request, the remedies at an individual’s disposal to majority of cases, cooperation agreements or modali- uphold his or her rights to privacy and data protection. ties for transferring data are neither regulated by law Past FRA research provides important findings on how nor public. This in itself creates a fundamental rights data protection remedies work in practice. While rec- issue linked to the rule of law and, more particularly, ognising the specificity of surveillance measures, this regarding the importance of the existence of a law that report draws on key conclusions elaborated on in the is accessible to the public, as well as regarding the rules 2014 FRA report on access to data protection remedies, governing the transfer of personal data to third coun- which carefully assessed the practical role of national tries. Though this report could not deal with this aspect data protection authorities.25 This report also examines beyond referencing the lack of proper control by over- the crucial role specialised bodies play in overseeing the sight bodies, it does raise important questions under work of security and intelligence services. relevant legal standards. International and European standards applicable to surveillance have been exhaustively developed and com- Fundamental rights mented on by multiple organisations, so this report will and safeguards merely refer to them to avoid duplicating already existing work. The United Nations (UN) has set standards Given the scope of the EP request, the FRA decided in this area for decades. Its various expert bodies and to focus its research on privacy and data protection, human rights procedures were forthright in their con- because surveillance measures acutely encroach on demnations of mass surveillance practices following the these fundamental rights. According to the Council of Snowden revelations.26 In March 2015, the Human Rights Europe Commissioner for Human Rights, “[i]t is not only Council of the UN decided to create the post of Spe- the actual use of these measures against given indi- cial Rapporteur on the Right to Privacy, who will be in viduals that infringes the right to privacy but also their charge of monitoring privacy rights in the UN context.27 potential use and/or the mere existence of legislation permitting their use”.23 This in no way means that other The European Court of Human Rights (ECtHR) has over fundamental rights are not equally affected. The EP res- the years also developed standards, based on Article 8 olution highlighted this when referring to other affected of the ECHR (right to respect for private and family life) – fundamental rights, in particular “freedom of expres- including its procedural aspects28 – and Article 13 of sion, of the press, of thought, of conscience, of religion the ECHR (right to an effective remedy).29 Its case law and of association, […] the presumption of innocence has reviewed various forms of surveillance, but issues and the right to a fair trial and non-discrimination”.24 related to the Snowden revelations have not yet been adjudicated.30 ECtHR standards have triggered legislative reforms at national level;31 narrowed the scope of the 20 The Belgian Standing Committee I, for example, refers to term ‘national security’ and required that the threat to Germany and the Netherlands, whose laws organise data national security have some reasonable basis in facts;32 transfer; see Belgium, Standing Committee I (2014), pp. 4–5. The Dutch Review Committee has conducted a number of investigations on cooperation between Dutch and foreign services. Its latest investigation addresses this issue, as well, 25 FRA (2014c). and additional investigations are expected to be published; 26 See UN, GA (2014a); UN, GA (2014b); UN, Human Rights see The Netherlands, CTIVD (2014b), pp. 13 and 148 and Council, Scheinin, M. (2009); UN, Office of the High following; The Netherlands, CTIVD (2014a), p. 29 and Commissioner for Human Rights (OHCHR) (2014); UN, following. See also The Netherlands, CTIVD (2010), p. 47 and Human Rights Council, Emmerson, B. (2014); UN, Human following. However, CTIVD recognises the limits of its power Rights Committee (2014) and UN, Human Rights Committee in this context; see The Netherlands, CTIVD (2015), p. 35. (2015a). 21 See Venice Commission (2015). 27 UN, Human Rights Council (2015). 22 See Born, H. et al. (eds.) (2011); Born, H. et al. 28 ECtHR, M.N. and Others v. San Marino, No. 28005/12, (2015); Bigo, D. et al. (2013), pp. 24 and 39; 7 July 2015, para. 83. Cousseran, J,-C. and Hayez, P. (2015), p. 133 and following. 29 For a discussion of the ECtHR case law, see European 23 Council of Europe Commissioner for Human Rights (2015), Commission for Democracy through Law (Venice p. 21. Commission) (2007); Venice Commission (2015). 24 European Parliament (2014), para. T. See also United 30 See the pending case: ECtHR, Big Brother Watch and Others Nations (UN) General Assembly (GA) (2014b); UN, Human v. the United Kingdom, No. 58170/03, communicated on Rights Council, Kaye, D. (2015); UN Special Rapporteur on 9 January 2014. Freedom of Opinion and Expression, the Organization for 31 ECtHR, Malone v. the United Kingdom, No. 8691/79, Security and Co-operation in Europe (OSCE) (2015); ECtHR, 2 August 1984; ECtHR, Kruslin v. France, No. 11801/85, Telegraaf Media Nederland Landelijke Media B.V. and 24 April 1990. Others v. the Netherlands, No. 39315/06, 22 November 2012, 32 ECtHR, Klass and Others v. Germany, No. 5029/71, para. 88, in which the ECtHR acknowledges that the 6 September 1978, paras. 45–46; ECtHR, Janowiec and surveillance methods interfered with the applicant’s Others v. Russia [GC], Nos. 55508/07 and 29520/09, freedom of expression; Council of Europe Commissioner for 21 October 2013, paras. 213–214; ECtHR, C.G. and others Human Rights (2015); Raab, C. et al. (2015). v. Bulgaria, No. 1365/07, 24 April 2008, para. 40.

9 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

and clarified procedural rules such as legal standing in general interest recognised by the Union, be provided the area of surveillance,33 the extent to which an indi- by law, and respect the essence of such rights. vidual can have an “expectation of privacy”,34 and the minimum safeguards that should be in place during sur- Applicability of these instruments in the field of secu- veillance.35 Moreover, the ECtHR has cited 1981 Council rity is, however, subject to the specific legal and policy of Europe data protection Convention (Convention 108) framework in the area and particularly to the national principles when examining personal data processing security exemption. Article 4 (2) of the TEU provides within the scope of the ECHR and the concept of private that “national security remains the sole responsibility life.36 According to the Venice Commission, the ECHR of each EU Member State”. This exemption is reiterated standards should be considered as minimum human both in Article 3 (2) of the Data Protection Directive and rights standards.37 They are often used as a benchmark in Article 1 (4) of Framework Decision 2008/977/JHA, when assessing legislation or a surveillance practice.38 which excludes “essential national security interests and specific intelligence activities in the field of national security” from the rules applicable to ‘regular’ law European Union Law enforcement action.

At the EU level, the rights to privacy and data protec- The limits of the national security exemption are tion are enshrined in Articles 7 and 8 of the Charter subject to debate, including in relation to the activi- of Fundamental Rights of the European Union (the ties of intelligence services.39 Although international Charter). The right to data protection is also laid down guidelines40 exist, there is no uniform understanding in Article 16 of the Treaty on the Functioning of the of ‘national security’ across the EU. The concept is not European Union (TFEU), and in Article 39 of the Treaty further defined in EU legislation or in CJEU case law, on the European Union (TEU). In addition, secondary although the CJEU has stated that exceptions to funda- legislation adopted earlier than the Charter and the mental rights must be interpreted narrowly and justi- TFEU protect this right. Relevant legal instruments fied.41 The CJEU has also stated that the mere fact that include the Data Protection Directive 95/46/EC, the a decision concerns state security does not render EU e-Privacy Directive 2002/58/EC and the Framework law inapplicable.42 Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judi- The lack of clarity on the precise scope of the national cial cooperation in criminal matters. These instruments security exemption goes hand in hand with the varied ensure, amongst others, that in their respective scope and seldom clearly drawn line between the areas of law of application, the processing of personal data is carried enforcement and national security in individual Member out lawfully and only to the extent necessary for the States. This is particularly true with counter-terrorism, fulfilment of the legitimate aim pursued. These rights since terrorism is generally considered a threat to both extend to all persons, whether they are EU citizens or national security and to law and order. As a result, third-country nationals. According to Article 52 (1) of the division of competences amongst intelligence and the Charter, any limitation to this right must be neces- law enforcement authorities varies throughout the sary and proportionate, genuinely meet objectives of EU Member States, as do the modalities of their information exchanges.

It falls outside the scope of this report to analyse in 33 ECtHR, Klass and Others v. Germany, No. 5029/71, 6 September 1978, para. 34. See also ECtHR, Liberty and great detail the extent of EU competence in this field. Others v. the United Kingdom, No. 58243/00, 1 July 2008, However, the current situation is relevant not only to para. 56. surveillance and the rights of privacy and personal data 34 ECtHR, Copland v. the United Kingdom, No. 62617/00, 3 April 2007, para. 42. protection, but also to efforts at the EU level in the area 35 ECtHR, Weber and Saravia v. Germany, No. 54934/00, of internal security, in accordance with Article 4 (2) (j) of 29 June 2006, para. 95. the TFEU, which defines the area of freedom, security 36 ECtHR, Z. v. Finland, No. 22009/93, 25 February 1997, paras. 95–97; ECtHR, Amann v. Switzerland, No. 27798/95, and justice as an area of shared competences between 16 February 2000, para. 65; ECtHR, Rotaru v. Romania, No. 28341/95, 4 May 2000, para. 43; ECtHR, S. and Marper v. The United Kingdom, Nos. 30562/04 and 30566/04, 39 See, for example, Peers, S. (2013), pp. 2–3, on the distinction 4 December 2008, paras. 41, 66–69, 76, 103–104, 107; between national security and law enforcement functions ECtHR, Uzun v. Germany, No. 35623/05, 2 September 2010, of intelligence services. paras. 43–48; ECtHR, Bernh Larsen Holding AS and Others 40 See especially Article 19 (1996), Johannesburg Principles v. Norway, No. 24117/08, 8 July 2013, paras. 76–78; on national security, freedom of expression and access to ECtHR, Khelili v. Switzerland, No. 16188/07, 8 March 2012, information; UN, Human Rights Council, Scheinin, M. (2010). paras. 20–21; ECtHR, M.M. v. the United Kingdom, 41 See CJEU, C-387/05, European Commission v. Italian Republic, No. 24029/07, 29 April 2013, paras. 122–124. 15 December 2009, para. 45, and Article 29 Working 37 Venice Commission (2015), p. 24. Party (2014b), p. 24. 38 See, for example, the work of the Dutch Review Committee 42 See CJEU, C-300/11, ZZ v. Secretary of the State of Home for the Intelligence and Security Services (CTIVD). Department, 4 June 2013, para. 38.

10 Introduction

the EU and the Member States. At present, the lack of sonal data to intelligence services for the purpose of the a clear delimitation between ‘public order’ and ‘national protection of national security, will therefore fall within security’ – the protection of the latter being left to the the scope of EU law.46 Any limitations of the rights to Member States without interference from the EU, in privacy and personal data protection should be exam- accordance with Article 4 (2) of the TFEU – influences ined according to Article 13 of the Data Protection Direc- the ongoing debate on the renewal of the EU Internal tive and Article 15 of the e-Privacy Directive, as well as Security Strategy regarding the exchange and use of Article 52 (1) of the Charter. Such limitations are to be existing intelligence for countering terrorist threats.43 treated as exceptions to the protection of personal data, and thus subject to narrow interpretation and requir- Although a dedicated mechanism within EU struc- ing proper justification.47 The essence of the right to tures (the EU Intelligence Analysis Centre, INTCEN, and privacy and protection of personal data shall at any to some extent also the EU Satellite Centre) exists, rate be respected. The ‘national security’ exception thus information exchanges between national intelligence cannot be seen as entirely excluding the applicability of authorities take place on a voluntary and ad hoc basis, EU law. As the UK Independent Reviewer of Terrorism and largely outside the EU legal framework.44 What is Legislation recently put it, known about information exchanges in this field is necessarily limited, as much of it is shielded from public “National security remains the sole respon- scrutiny. Coordinated action at the EU level is there- sibility of each Member State: but subject fore limited to enhancing law enforcement informa- to that, any UK legislation governing inter- tion exchanges, with emphasis on better utilising the ception or communications data is likely potential of the European Police Office (Europol) and, to have to comply with the EU Charter to some extent, the European Agency for the Manage- because it would constitute a derogation ment of Operational Cooperation at the External Borders from the EU directives in the field.”48 of the Member States of the European Union (Frontex). Finally, even when EU law does not apply, other inter- The national security exemption provides a methodo- national instruments do, notably the ECHR and Conven- logical challenge because of a lack of a clear delineation 10849 and its 2001 Additional Protocol.50 The CJEU tion between surveillance activities conducted for law refers to Member States’ international obligations under enforcement and for national security purposes, and the ECHR when a subject matter falls outside EU law.51 the resulting variety in the involvement and competence of actors. Methodology This unclear delineation of ‘national security’ also has repercussions for the applicability of EU law, which This report draws on data provided by the agency’s depends both on the interpretation of the national secu- multidisciplinary research network Franet, which were rity exemption’s scope and on the specific character- collected through desk research in all 28 EU Member istics of the various surveillance programmes carried States, based on a questionnaire submitted to the out by intelligence services. Although the existence of network.52 such programmes remains largely unknown, even in light of the Snowden revelations, some contain ele- Additional information was gathered through desk ments that can justify the full applicability of EU law. research and exchanges with key partners, includ- For instance, when EU companies transfer data to intel- ing a number of FRA’s national liaison officers in the ligence services, including those of third countries,45 Member States and individual experts. These include they are considered under the Data Protection Direc- Ian Cameron, Professor of International law, Uppsala tive as data controllers who collect and process data University, and Member of the Venice Commission; for their own commercial purposes. Any subsequent Douwe Korff, Emeritus Professor of International Law, data processing activities, such as the transfer of per- London Metropolitan University and Oxford Martin

43 This relates particularly to the debate on whether more effective exchanges of intelligence within and between 46 CJEU, C-362/14, Maximillian Schrems v. Data Protection Member States could prevent terrorist attacks by persons Commissioner, 6 October 2015. already known to national authorities, as was allegedly the 47 CJEU, C-387/05, European Commission v. Italian Republic, case with perpetrators of the 2014 Brussels and 2015 Paris 15 December 2009, para. 45. attacks. 48 Anderson, D., Independent Reviewer of Terrorism 44 For instance through the Club de Berne and the derived Legislation (2015), p. 71. Counter Terrorist Group, an intelligence-sharing forum that 49 Council of Europe, Convention 108; CJEU, C-387/05, European specifically focuses on counterterrorism intelligence and Commission v. Italian Republic, 15 December 2009, para. 45. encompasses all EU Member States, as well as Norway and 50 Council of Europe, Convention 108, Additional Protocol. Switzerland. 51 CJEU, C-127/08, Metock v. Minister of Justice, Equality and 45 See Article 29 Working Party (2014c), Section 5 on data Law Reform, 25 July 2008, paras. 74–79. transfers to non-EU countries. 52 See FRA (2014b).

11 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

Associate, Oxford Martin School, University of Oxford; protection of human rights and fundamental freedoms Andreas Krisch, managing partner, mksult GmbH, while countering terrorism.54 Vienna, Austria; Ian Leigh, Professor of Law, Durham University; Carly Nyst, Legal Director, Privacy Inter- The mapping of legal frameworks in the EU in this report national, London; Peter Schaar, Chair of the European follows the structure the ECtHR suggests for surveil- Academy for Freedom of Information and Data Protec- lance cases. So far, most of the cases brought before tion and former German Federal Commissioner for Data the Strasbourg judges have focused on the legality of Protection and Freedom of Information (2003-2013); and interferences with the right to privacy – in other words, Martin Scheinin, Professor at the European University whether the secret surveillance was “in accordance with Institute, coordinator of the FP7 project SURVEILLE (Sur- the law”. Contrary to its other jurisprudence, the ECtHR veillance: Ethical Issues, Legal Limitations, and Effi- has added to the legality test stricto sensus require- ciency), and former United Nations Special Rapporteur ments for other specific safeguards that surveillance on human rights and counter-terrorism. laws should have. As stated by Cameron, “[A] law, or legal mechanism, which is regarded as deficient in for- FRA expresses its gratitude for these valuable contribu- mulation (e.g. because it is imprecise) may nonetheless tions. The opinions and conclusions in this report do not be corrected by a safeguard (e.g. because it compen- necessarily represent the views of the organisations or sates for the risk of abuse caused by the imprecision)”.55 individuals who helped develop the report. This relates to the approval mechanism of the measure and the oversight mechanism controlling its implemen- While this report maps the EU-28 legal frameworks, the tation, as well as to available remedies. FRA findings also draw on existing reports and publications aimed at supporting national legislators in setting Following this approach, after providing overviews of up legal frameworks for the intelligence services and the intelligence services and surveillance laws in the their democratic oversight.53 The findings refer in par- EU Member States (Chapter 1), this report presents the ticular to the compilation of good practices issued by safeguards in place (Chapter 2), and the available rem- Scheinin as Special Rapporteur on the promotion and edies (Chapter 3).

53 See, for example, Venice Commission (2007); Venice Commission (2015); or 54 UN, Human Rights Council, Scheinin, M. (2010). Born, H. and Wills, A. (eds.) (2012). 55 See Cameron, I. (2013), p. 164.

12 1 Intelligence services and surveillance laws

1.1. Intelligence services ‘security services’ are agencies focusing on domestic threats, with a domestic mandate.57 This report uses generic terminology and refers to ‘intelligence services’ UN good practices on mandate for both. Born and Wills suggest the following definition Practice 1. Intelligence services play an important role of an intelligence service: “A state organisation that col- in protecting national security and upholding the rule lects, analyses, and disseminates information related to of law. Their main purpose is to collect, analyse and dis- threats to national security”.58 The line between “for- seminate information that assists policymakers and other eign” and “domestic” threats is often blurred. Such is public entities in taking measures to protect national se- the case with terrorist activities, which are often of curity. This includes the protection of the population and transnational character. As a result, close cooperation their human rights. between services with a domestic mandate and ser- Practice 5. Intelligence services are explicitly prohibited vices with a foreign mandate is usually necessary. The from undertaking any action that contravenes the Consti- UN Special Rapporteur on the promotion and protec- tution or international human rights law. These prohibi- tion of human rights and fundamental freedoms while tions extend not only to the conduct of intelligence ser- countering terrorism adopted the same approach, so vices on their national territory but also to their activities the UN good practices could apply to internal, external, abroad. civil and military services.59 UN, Human Rights Council, Scheinin, M. (2010) The Annex shows that intelligence services are organ- The organisation of the intelligence community in each ised in different agencies based on their mandate. The EU Member State is closely linked to historical devel- table focuses only on the services, and not the coordi- opments, wars and external threats. The intelligence nation bodies that might exist in Member States, such community is therefore greatly diverse. Intelligence as the Department for Security Information (DIS) in scholars have drawn up models based on existing intel- Italy or the National Intelligence Coordinator in France, ligence community structure.56 This is an area of state which is part of the French intelligence community.60 sovereignty not affected by ECtHR case law; the insti- Moreover, the differences between internal and exter- tutional organisation and services’ mandates belong nal mandates should not be overemphasised since the to the state prerogatives and are guided by identified surveillance of digital communication does not neces- threats and needs. This chapter provides a description sarily recognise geographical borders. of the main actors. Almost all EU Member States have established at least To analyse the work of the security and intelligence ser- two different bodies for conducting civil and military vices in the EU, a short description of these services and intelligence activities. In practice, the line separat- their core functions is necessary. First, a conceptual clar- ing the mandates between civil and military security ification: ‘intelligence services’ are agencies focusing on external threats (they have a foreign mandate), while 57 Born, H. and Leigh, I. (2005), p. 31. 58 Born, H. and Wills, A. (eds.) (2012), p. 6. See also Cousseran, J.-C. and Hayez, P. (2015), p. 41. 56 See Cousseran, J.-C. and Hayez, P. (2015), p. 35 and 59 UN, Human Rights Council, Scheinin, M. (2010), p. 4. following. 60 France, Defence Code (Code de la Défense), Art. D 1122–8–1.

13 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

services is becoming increasingly blurred.61 A distinction and Latvia, where the body responsible for conducting can sometime be established, though, in the referred intelligence activities belongs directly to the police and/ authorities: civil intelligence services are generally sub- or law enforcement authorities. In Hungary, a specific ordinate to interior ministries, sometimes also to the body of the police, specialised in counter-terrorism, is prime ministers, whereas military bodies refer to the allowed to conduct non-criminal investigations and use Ministry of Defence. This report focuses on civil intel- secret surveillance methods for this purpose. ligence services. However, such organisational separation in law does In some Member States, such as France, Germany, Italy, not necessarily mean that the exchange of information Romania and Poland, civil intelligence services are fur- and personal data between law enforcement and intel- ther divided into two separate services, mandated with ligence services is prohibited by law, given increasingly a domestic or foreign scope. Moreover, some Member common fields of competence, such as the fight against States grant intelligence-like means to units specialised terrorism. Indeed, national legislation may provide for in a defined threat, such as organised crime in Spain, data transfers between these authorities, in accordance corruption in Poland or the fight against terrorism with the rights to privacy and personal data protec- in Hungary. tion.66 As stated by the Council of Europe Commissioner of Human Rights, this cooperation should take place Another key element to consider is the extent of the within a clear legal framework. relationship between security services and law enforcement. Indeed, an organisational separation between “Co-operation between law enforcement agencies and intelligence services and law enforcement authorities is national security agencies can only happen under the rule commonly considered a safeguard against the concen- of law if both agencies act in accordance with rule of law tration of powers into one service and the risk of arbi- principles [e.g. clear legal frameworks].” trary use of information obtained in secrecy. As noted Council of Europe Commissioner for Human Rights (2014), p. 110 in 1999 by the Parliamentary Assembly of the Council of Europe (PACE), “[I]nternal security services should The more intelligence services shift their activities from not be authorised to carry out law enforcement tasks state to non-state entities and individuals or groups such as criminal investigations, arrests, or detention. of individuals, as in the case with terrorist organisa- Due to the high risk of abuse of these powers, and to tions, the more important respect of the rule of law avoid duplication of traditional police activities, such becomes. The enactment of laws is indeed a relatively powers should be exclusive to other law enforcement recent process.67 The turn to law might have been chal- agencies”.62 The majority of intelligence services have lenged following the attacks of 11 September 2001 on their own structure and organisation, independent of the United States.68 Recent revelations regarding the the police and other law enforcement authorities. intelligence services’ surveillance capabilities, however, have underscored the need to respect the fundamen- In Germany, for example, the Act on the Federal Intel- tal principle of the rule of law in democratic societies. ligence Service (BND) specifically states that the BND “must not be attached to a police authority”.63 The sepa- In short, the organisation of intelligence services in the ration of police and intelligence services is not explicitly EU is extremely diverse and dependent on Member laid down in the Basic Law (Grundgesetz), i.e. the consti- State specificities. The intelligence community in each tution. Its constitutional protection has been a subject of Member State is increasingly established by law. discussion in academia, while the Federal Constitutional Court has not directly addressed the issue.64 In Estonia, Cousseran and Hayez note that there is a growing ten- the Security Police became the Internal Security Ser- dency to establish the intelligence community by law. vice (Kaitsepolitseiamet, KAPO) in 2001. More recently, in Sweden (as of 1 January 2015), the Security Service « Le renseignement demeure une information et une (Säkerhetspolisen, SÄPO) was reorganised into a sepa- activité secrètes mais n’est désormais plus une organisation rate authority, independent of the rest of the new police secrète. » (Intelligence remains a secret information and authority.65 Few Member States make exceptions to this a secret activity but is no longer carried out by a secret rule; they include Austria, Denmark, Finland, Ireland, organisation – FRA translation). Cousseran, J.-C. and Hayez, P. (2015), p. 55

61 See Venice Commission (2015), p. 8; Cousseran, J.-C. and Hayez, P. (2015), p. 30. 62 PACE (1999), p. 2. 63 Germany, Act on the Federal Intelligence Service (Gesetz über den Bundesnachrichtendienst), 20 December 1990, as amended, Section 1. See also Section 2 (3) of the same act. 66 Sule, S. (2006), pp. 128 and 236. 64 Sule, S. (2006), pp. 121–123. 67 See Laurent, S.-Y. (2014), p. 160. 65 Sweden, Ministry of Justice (Justitiedepartementet) (2012). 68 Chesterman, S. (2011), p. 9.

14 Intelligence services and surveillance laws

1.2. Surveillance measures device”.72 Omand, a former GCHQ director, refers to this type of collection as ‘digital intelligence’.73 According to the Venice Commission, “SIGINT is a collective term UN good practices on intelligence collection referring to means and methods for the interception and and management and use of personal data analysis of radio (including satellite and cellular phone) and cable-borne communications”.74 Lowenthal’s defi- Practice 21. National law outlines the types of collection nition clearly shows that SIGINT derived from military measures available to intelligence services; the permis- intelligence. Indeed, SIGINT was traditionally used by sible objectives of intelligence collection; the categories of persons and activities which may be subject to intel- military and foreign intelligence services to prevent mil- 75 ligence collection; the threshold of suspicion required to itary actions endangering national security. justify the use of collection measures; the limitations on the duration for which collection measures may be used; “SIGINT consists of several different types of intercepts. and the procedures for authorising, overseeing and re- The term is often used to refer to the interception of viewing the use of intelligence-collection measures. communications between two parties, or COMINT. SIGINT can also refer to the pickup of data relayed by weapons during Practice 23. Publicly available law outlines the types of tests, which are sometimes called telemetry intelligence personal data that intelligence services may hold, and (TELINT). Finally, SIGINT can refer to the pickup of electronic which criteria apply to the use, retention, deletion and emissions from modern weapons and tracking systems disclosure of these data. Intelligence services are permit- (military and civil), which are useful means of gauging ted to retain personal data that are strictly necessary for their capabilities, such as range and frequencies on which the purposes of fulfilling their mandate. systems operate. This is sometimes referred to as ELINT Practice 24. Intelligence services conduct regular assess- (electronic intelligence) but is more customarily referred ments of the relevance and accuracy of the personal data to as FISINT (foreign instrumentation signals intelligence). that they hold. They are legally required to delete or up- The ability to intercept communications is highly important, date any information that is assessed to be inaccurate or because it gives insight into what is being said, planned, and no longer relevant to their mandate, the work of over- considered.” sight institutions or possible legal proceedings. Lowenthal, M. (2015), pp. 118–119. UN, Human Rights Council, Scheinin, M. (2010) With the development of digital communications, national borders (i.e. the indications of what is for- The following paragraphs clarify the terms that will be eign and what is national) are more difficult to iden- used in the report. First, the section outlines surveil- tify. Furthermore, national security threats are not lance measures related to technical collection, then dis- only posed by states, but also by terrorist groups and tinguishes between targeted and untargeted collection. organised crime networks. Since the fight against terrorism led to (internal) security services using SIGINT, 1.2.1. Technical collection this report focuses only on such interception, strictly speaking, for non-military purposes. In doing so, FRA ‘Technical collection’ is traditionally distinguished from aligns its analysis with the scope of the EP resolution, ‘human collection’, which takes place on the ground. which does not cover military threats. FRA uses ‘sig- Technical collection refers to the automated gather- nals intelligence’ (SIGINT) as a generic term that covers ing of information through the interception and collec- the elements used in the EP resolution,76 even though tion of digital data related to the subject of intelligence most of it could fall into the communications intelli- activity.69 It is based on four key pillars: 1) cryptography, gence (COMINT) category. However, since detailed sur- i.e. encryption (or decryption) of communications; 2) veillance methods by intelligence services rarely appear signals intelligence (SIGINT); 3) imagery or photo intel- in the text of the law, FRA uses ‘signals intelligence’ as ligence (IMINT); and 4) digital intelligence.70 an encompassing term.77

In the digital age, these four pillars tend to disappear. For intelligence services, one of the key challenges of They are merged into one single concept of ‘digital net- collection is the quantity of data available. As Lowenthal work intelligence’ (DNI), a term used by the NSA.71 In puts it, “[A]s of 2013, there are some 7 billion telephones fact, the National Research Council of the National Acad- worldwide […] generating some 12.4 billion calls every emies concludes that “signals intelligence has come to embrace almost any data stored on an electronic 72 United States, National Research Council (2015), p. ix. 73 Omand, D. (2015). 74 Venice Commission (2015), p. 8. 69 European Parliamentary Research Service (EPRS), Science 75 See Venice Commission (2015), p. 8. See also and Technology Options Assessment (STOA) (2014a); EPRS, Lowenthal, M. (2015), pp. 118–119; Brown, I. et al. (2015), STOA (2014b). p. 5; Cousseran, J.-C. and Hayez, P. (2015), pp. 65 and 90. 70 See Cousseran, J.-C. and Hayez, P. (2015), p. 91 and 76 European Parliament (2014), para. 1. following. 77 For detailed explanations of how SIGINT are used by the 71 Ibid., p. 92. NSA, see United States, National Research Council (2015).

15 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

91 Figure 1: A conceptual model of signals intelligence on identified individuals and groups”, therefore covering initially untargeted surveillance that becomes more targeted. The word ‘strategic’ denotes a process involving a selection by way of automated tools. The Other intelligence data goes through selectors or discriminants applied by sources algorithms. This touches on the second key aspect of the EP resolution definition, which requires an explanation of the distinction between targeted and untargeted collection.

Discriminant Query In short, when ‘signals intelligence’ – which FRA applies generically – is not used, Member State terminology will guide this report’s legal analysis.

1.2.2. Targeted and untargeted Signal Extract Filter Store Analyze Disseminate collection

This report looks at the impact of surveillance on fundamental rights and at available remedies, so covers targeted surveillance as well as untargeted surveillance Collection by intelligence services. Source: United States, National Research Council (2015), p. 28 The Dutch Review Committee for the Intelligence and Security Services (CTIVD) defines targeted and untargeted surveillance as follows: day. Newer communications channels add to the total. surveillance techniques. The UN refers to “bulk access In the United States alone, 2.2 trillion text messages to communications and content data without prior • targeted interception: “Interception where the were sent in 2012, as well as 400 million tweets (Twit- suspicion”,82 “high levels of Internet penetration”,83 person, organisation or technical characteristic at ter messages) daily in 2013.”78 This requires important “intercept digital communications”,84 or “governmen- whom/which the data collection is targeted can be specified in advance”; budgetary investments that not all countries can afford. tal mass surveillance”.85 The Committee of Ministers Cousseran and Hayez identify the following EU countries of the Council of Europe refers to “broad surveillance • untargeted interception: “Interception where the as having services with important capacities that can of citizens”,86 the specialised ministers of the Coun- person, organisation or technical characteristic at afford SIGINT collection: the UK (5,500 staff working at cil of Europe refer to “the question of gathering vast whom/which the data collection is targeted can- GCHQ), France (2,100 staff working at the Directorate amounts of electronic communications data on indi- not be specified in advance”. General of External Security (Direction de la sécurité viduals by security agencies”,87 and the Parliamentary The Netherlands, CTIVD (2014a), p. 45 and following extérieure, DGSE) and 700 staff working at the Directo- Assembly of the Council of Europe entitled its report rate of Military Intelligence (Direction du renseignement “mass surveillance”.88 The European Parliament refers to militaire, DRM), Germany (1,000 staff working at the “mass surveillance” (see the Resolution), and Bigo et al. The wide-reaching reactions to the Snowden revelations BND) and Sweden (Försvarets Radioanstalt).79 Brown in their commissioned report for the European Parlia- were triggered by the scale of data collected through et al. add the Netherlands, Italy and Spain to the list of ment refer to large-scale surveillance and “cyber-mass the revealed programmes. The concept of ‘mass surveil- Member States performing SIGINT.80 The US National surveillance”. 89 lance’ illustrates the difference between the amount of Research Council’s analysis shows that SIGINT requires data collected through these programmes and the data discriminants (or selectors) to make it possible to filter Finally, the Venice Commission uses the concept of collected through traditional secret (targeted) surveil- the data before its storage, and further analysis by the ‘strategic surveillance’ to emphasise that “signals lance methods, such as telephone tapping. The latter intelligence services (example: “all email addresses intelligence can now involve monitoring of ‘ordinary presupposes the existence of prior suspicion of a tar- used in communications with Yemen”).81 Figure 1 illus- communications’”.90 In doing so, it builds on the con- geted individual or organisation. This type of surveil- trates this process. cept used in German law (strategic restriction, strategis- lance is widely known in EU Member States’ laws. Since che Beschränkung), adding that ‘strategic surveillance’ the overwhelming majority of EU Member States’ legal When ‘signals intelligence’ is not used, institutions also includes “signals intelligence to collect information frameworks do not regulate or indeed speak of ‘mass and commentators use various terms to refer to these surveillance’ as such – mass surveillance is not a legal 92 82 UN, Human Rights Council, Emmerson, B. (2014), p. 4. term” – it is important to analyse how targeted surveil- 78 Lowenthal, M. (2015), p. 120. 83 Ibid. lance is prescribed in EU Member States’ legal frame- 79 Cousseran, J.-C. and Hayez, P. (2015), p. 92 (number of staff 84 UN, Human Rights Council (2015), p. 2. works to assess how fundamental rights are upheld. working at the Swedish SIGINT agency not specified). See 85 UN, OHCHR (2014), p. 3. also Bigo, D. et al (2013), p. 21. 86 Council of Europe, Committee of Ministers (2013). 80 Brown, I. et al. (2015), p. 9. 87 Council of Europe, Conference of Ministers responsible for 81 See United States, National Research Council (2015), p. 36. Media and Information Society (2013), para. 13 (v). A discriminant is defined as “detailed instructions for 88 PACE (2015b). searching a database of collected data”. See also Belgium, 89 Bigo, D. et al. (2013), p. 14. 91 Ibid., p. 9, fn. 3. Standing Committee I (2015), p. 12. 90 Venice Commission (2015), p. 9. 92 Ibid., p. 14.

16 Intelligence services and surveillance laws

on identified individuals and groups”,91 therefore cov- The concept of ‘untargeted surveillance’ is more prob- ering initially untargeted surveillance that becomes lematic to delineate because a surveillance measure more targeted. The word ‘strategic’ denotes a process can start without prior suspicion or a specific target, involving a selection by way of automated tools. The which is defined after collection and filtration of certain data goes through selectors or discriminants applied by data. In the US context, the distinction is made between algorithms. This touches on the second key aspect of ‘bulk’ and ‘targeted’ collection in the context of SIGINT. the EP resolution definition, which requires an expla- The National Research Council of the National Acade- nation of the distinction between targeted and untar- mies acknowledged in its report on signals intelligence, geted collection. however, that this distinction “is quite unclear”.93 It suggested the following distinction: “If a significant por- In short, when ‘signals intelligence’ – which FRA applies tion of the data collected is not associated with current generically – is not used, Member State terminology will targets, it is bulk collection; otherwise, it is targeted.”94 guide this report’s legal analysis. This is what the Venice Commission’s definition highlights when it defines strategic surveillance: its differ- 1.2.2. Targeted and untargeted ence with law enforcement surveillance and its impact collection on fundamental rights.95

This report looks at the impact of surveillance on “Strategic surveillance thus differs in a number of ways fundamental rights and at available remedies, so covers from surveillance in law enforcement or more traditional targeted surveillance as well as untargeted surveillance internal security operations. It does not necessarily start by intelligence services. with a suspicion against a particular person or persons. It can instead be proactive: finding a danger rather than investigating a known danger. Herein lay both the value it The Dutch Review Committee for the Intelligence can have for security operations, and the risk it can pose and Security Services (CTIVD) defines targeted and for individual rights. Prosecution is not the main purpose of untargeted surveillance as follows: gathering intelligence. The intelligence is, however, stored and used in a number of ways which can affect human rights.” • targeted interception: “Interception where the person, organisation or technical characteristic at European Commission for Democracy through Law (Venice Commission) (2015), p. 12. whom/which the data collection is targeted can be specified in advance”; Distinguishing between mass surveillance and targeted • untargeted interception: “Interception where the surveillance requires a close analysis of the various sur- person, organisation or technical characteristic at veillance programmes. Cayford et al.’s analysis of sev- whom/which the data collection is targeted can- eral surveillance programmes revealed by Snowden not be specified in advance”. illustrates this. While the authors consider, for exam- The Netherlands, CTIVD (2014a), p. 45 and following ple, PRISM96 to be “a targeted technology used to access court ordered foreign internet accounts”,97 they consider wiretapping of fiber-optic cables programmes as The wide-reaching reactions to the Snowden revelations revealed in the UPSTREAM or TEMPORA98 programmes were triggered by the scale of data collected through to be mass surveillance. the revealed programmes. The concept of ‘mass surveillance’ illustrates the difference between the amount of The Snowden revelations have demonstrated that cur- data collected through these programmes and the data rent legal frameworks and oversight structures have collected through traditional secret (targeted) surveil- been unable to keep up with technological develop- lance methods, such as telephone tapping. The latter ments that allow for the collection of vast amounts of presupposes the existence of prior suspicion of a tar- data. In some cases, outdated laws not intended to reg- geted individual or organisation. This type of surveil- ulate these new forms of surveillance are being used to lance is widely known in EU Member States’ laws. Since justify them. Moreover, the Council of Europe Commis- the overwhelming majority of EU Member States’ legal sioner for Human Rights stated that “in many Council of frameworks do not regulate or indeed speak of ‘mass Europe member states, bulk, untargeted surveillance by surveillance’ as such – mass surveillance is not a legal security services is either not regulated by any publicly term”92 – it is important to analyse how targeted surveillance is prescribed in EU Member States’ legal frameworks to assess how fundamental rights are upheld. 93 United States, National Research Council (2015), p. 33. 94 Ibid., p. 2, footnote omitted. 95 See also Bigo, D. et al. (2013), p. 15. 96 For a definition, see European Parliament, Committee on Civil Liberties, Justice and Home Affairs (2013a). 97 Cayford, M. et al. (2015), p. 646. 91 Ibid., p. 9, fn. 3. 98 For a definition, see European Parliament, Committee on 92 Ibid., p. 14. Civil Liberties, Justice and Home Affairs (2013a).

17 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

available law or regulated in such a nebulous way that 1.3. Member States’ laws the law provides few restraints and little clarity on these measures”.99 Consequently, in some Member States, on surveillance discussion about the adequacy of the legal frameworks “Security services have a number of characteristics that 100 triggered calls for legal reforms. create the potential for human rights abuses if these services are not subject to effective oversight and underpinned by Brouwer summarised one of the key conclusions of the effective laws. These characteristics include recourse to very Dutch Review Committee’s investigation as follows: invasive powers that can be used in a highly discretionary “Technological developments – and consequently the manner, undertaken largely in secret and, in some countries, digitalisation of society – have not only largely facili- viewed as an instrument of the incumbent government that tated digital communication and the digital storage of can be used for political purposes.” large volumes of data by individuals, they have by that Council of Europe Commissioner for Human Rights (2015), p. 19 consequently also increased the possibilities of the services to acquire, process and exchange this data. This This chapter presents the legal frameworks on surveil- means that there is much more personal data available lance in the EU-28. It focuses first on the quality of the for processing than ever before.”101 In the United States, surveillance laws by referring to the ECtHR standards. President Obama requested the Director of National It then looks at the aims of the surveillance laws, and Intelligence (DNI) to “assess the feasibility of creating in particular at how they address national security. The software that would allow the IC [Intelligence Com- following analysis does not assess the implementation munity] to more easily conduct targeted information of the legislation; FRA will provide such an assessment acquisition [of signals intelligence] rather than bulk following future fieldwork research entailing data col- collection”.102 The DNI tasked the National Research lection on implementation. Council with conducting this assessment. In its report, the National Research Council concluded that no soft- 1.3.1. Surveillance ‘in accordance with ware technique could fully substitute bulk collection, but the law’ suggested enhancing automatic controls of the usage of data collected.103 UN good practices on mandate and legal Delmas-Marty nicely summarises the difference in basis approaches to targeted and untargeted surveillance: “Instead of starting from the target to find the data, Practice 2. The mandates of intelligence services are nar- one starts with the data to find the target. Au[ lieu de rowly and precisely defined in a publicly available law. Man- dates are strictly limited to protecting legitimate national partir de la cible pour trouver les données, on part des security interests as outlined in publicly available legisla- données pour trouver la cible].”104 tion or national security policies, and identify the threats to national security that intelligence services are tasked to address. If terrorism is included among these threats, it is defined in narrow and precise terms. Practice 3. The powers and competences of intelligence services are clearly and exhaustively defined in national law. They are required to use these powers exclusively for the purposes for which they were given. In particular, any powers given to intelligence services for the purposes of counter-terrorism must be used exclusively for these purposes. Practice 4. All intelligence services are constituted through, and operate under, publicly available laws that comply with 99 Council of Europe Commissioner for Human Rights (2015), the Constitution and international human rights law. Intel- p. 23. For an example of proposed legal changes, see: ligence services can only undertake or be instructed to un- The Netherlands, Draft law on the Intelligence and dertake activities that are prescribed by and in accordance Security Services 20XX (Concept-wetsvoorstel Wet op de with national law. The use of subsidiary regulations that are inlichtingen- en veiligheidsdiensten 20XX), 02 July 2015. not publicly available is strictly limited, and such regulations 100 See in Germany, Löning, M. (2015); The Netherlands, Draft law on the Intelligence and Security Services 20XX; United are both authorized by and remain within the parameters of Kingdom, Anderson, D., Independent Reviewer of Terrorism publicly available laws. Regulations that are not made pub- Legislation (2015), p. 8; Austria, State Security Bill (Entwurf lic do not serve as the basis for any activities that restrict Polizeiliches Staatsschutzgesetz – PStSG), 1 July 2015, human rights. Explanatory note (Erläuterungen), 31 March 2015. 101 Brouwer, H. (2014), p. 4. See also, Cayford, M. et al. (2015), UN, Human Rights Council, Scheinin, M. (2010) p. 643. 102 See United States, The White House (2014). 103 See United States, National Research Council (2015). That it is important to define the role and tasks of intelli- 104 Delmas-Marty, M. (2015). gence services in legislation is an accepted human rights

18 Intelligence services and surveillance laws

standard. Yet, as Born and Leigh state, “[T]he rule of law act regulating the mandate of the Danish Security and requires more than a simple veneer of legality.”105 The Intelligence Service (PET) was enacted in 2009, and an well-established standards that stem from the ECtHR’s act codifying the activities of the Danish intelligence case law support the UN good practices. Any interfer- services entered into force in 2014. While the latter ence with Article 8 of the ECHR needs to be estab- does not alter the basic tasks of the intelligence ser- lished in law. This means that surveillance measures vice, it establishes new rules on how to collect, process must be established in a statute.106 This does not mean, and disclose personal data. however, that the full surveillance measures have to be established by a law; administrative regulations or well-established case law can specify the law on the ECtHR case law: quality of the law 107 books. This flexible approach is particularly impor- “[F]oreseeability in the special context of secret meas- tant in an area where the details of surveillance tech- ures of surveillance, such as the interception of commu- niques cannot all be prescribed by law (see UN good nications, cannot mean that an individual should be able practice No. 4). to foresee when the authorities are likely to intercept his communications so that he can adapt his conduct ac- Furthermore, the law has to be of a certain quality. In cordingly […]. However, especially where a power vest- other words, the law must be accessible and foresee- ed in the executive is exercised in secret, the risks of able. In its case law on surveillance, the ECtHR often arbitrariness are evident […]. It is therefore essential to concludes that the cited domestic legal basis is insuffi- have clear, detailed rules on interception of telephone conversations, especially as the technology available cient or not ‘in accordance with the law’. Both national for use is continually becoming more sophisticated […]. rules governing the interception of individual commu- The domestic law must be sufficiently clear in its terms nications and more general programmes of surveillance to give citizens an adequate indication as to the circum- should therefore comply with the rule of law and be stances in which and the conditions on which public au- accessible to the individual, who needs to be able to thorities are empowered to resort to any such measures assess how a specific piece of legislation can impact […]. Moreover, since the implementation in practice of his or her actions.108 Moreover, it is important to note measures of secret surveillance of communications is that interference with a right deemed permissible under not open to scrutiny by the individuals concerned or the national law is not necessarily lawful under interna- public at large, it would be contrary to the rule of law tional law. It may in fact conflict with a range of inter- for the legal discretion granted to the executive or to national standards.109 a judge to be expressed in terms of an unfettered power. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities Given the seriousness of the interference, the ECtHR and the manner of its exercise with sufficient clarity to has developed a set of minimum safeguards for laws give the individual adequate protection against arbi- 110 to pass the ‘quality’ test. These criteria have been trary interference.” established in the context of targeted surveillance and, ECtHR, Weber and Saravia v. Germany, No. 54934/00, 29 June 2006, as highlighted in two ECtHR judgments addressing qual- paras. 93–94 ity of the law, are applicable to SIGINT, as well. “In its case-law on secret measures of surveillance, the Court has developed the following minimum safeguards FRA data show that for some Member States the legal that should be set out in statute law to avoid abuses of basis that frames the intelligence services’ mandates power: the nature of the offences which may give rise and powers is constituted by one unique legal act gov- to an interception order; a definition of the categories erning their organisation and means (such as Esto- of people liable to have their telephones tapped; a limit nia or Luxembourg). In others, complex frameworks on the duration of telephone tapping; the procedure to made up of several laws and ordinances regulate spe- be followed for examining, using and storing the data cific aspects of the services’ mandate, organisation, obtained; the precautions to be taken when communi- competences or means. Most Member States, though, cating the data to other parties; and the circumstances organise the work of the intelligence services in two in which recordings may or must be erased or the tapes laws: one on the mandate and organisation of the ser- destroyed.” vice, the other on means of action and the conditions ECtHR, Weber and Saravia v. Germany, No. 54934/00, 29 June 2006, for using them. This is the case in Denmark, where the para. 95 “The Court does not consider that there is any ground to apply different principles concerning the accessibil- 105 Born, H. and Leigh, I. (2005), p. 19. ity and clarity of the rules governing the interception of 106 ECtHR, Heglas v. Czech Republic, No. 5935/02, 1 March 2007, individual communications, on the one hand, and more para. 74. 107 See Cameron, I. (2013), p. 172. general programmes of surveillance, on the other.” 108 ECtHR, Liberty and Others v. the United Kingdom, ECtHR, Liberty and Others v. the United Kingdom, No. 58243/00, No. 58243/00, 1 July 2008, para. 59. 1 July 2008, para. 63 109 UN, OHCHR (2014), para. 21. 110 See Cameron, I. (2013).

19 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

To assess the quality of law requirement, it is important • the coercive measure is strictly required for the to look at how targets are defined in EU Member States investigation; in both cases of targeted surveillance and of signals • the investigation is conducted in relation to a crime intelligence. This includes clearly defining the catego- punishable with a minimum of six years of impris- ries of persons and activities that may be subject to onment, or for the prevention and investigation of intelligence collection. the crimes enumerated in chapters 12 and 13 of the Danish Penal Code, e.g. terrorism. 1.3.1.1. Targeted surveillance PET collects information that “could be of importance” A review of the legal frameworks that regulate surveil- to its activities and conducts investigations that “can lance methods used by intelligence services shows that be assumed to be of importance” to its efforts in rela- almost all Member States (26/28, with the exceptions tion to counter-terrorism or that are “strictly required” of Cyprus and Portugal) have codified their use into for its other activities.114 law. In Cyprus, a bill regulating the intelligence service’s functioning is under discussion.111 In Portugal, intelli- In short, targeted collection takes place when the target gence services are not entitled to conduct surveillance is known before the surveillance measure is initiated. activities. Article 34 (4) of the constitution limits their mandate by not allowing any sort of intrusion into mail, 1.3.1.2. Signals intelligence telephone or communications other than in the course of a criminal investigation. Since the intelligence ser- FRA’s analysis of the legal frameworks that regulate sur- vices cannot perform criminal investigations, they do veillance methods used by intelligence services shows not have, by law, surveillance powers. Their mandate that five Member States (France, Germany, the Nether- is limited to promoting research and analysis, process- lands, Sweden and the United Kingdom) detail the condi- ing intelligence and archiving and disseminating the tions that permit the use of both targeted surveillance information gathered. and signals intelligence. This report focuses on these five Member States due to the existence of detailed legisla- Targeted surveillance as regulated in the Member tion on SIGINT. This does not mean that this list is in any States’ laws refers to concrete targets upon suspicion way exhaustive. FRA’s selection is based on the fact that that an act falling within the remit of the intelligence this type of collection is prescribed, in detail, in the law. services’ tasks could be committed before a surveillance measure can be initiated. In several Member Three examples illustrate where the accessible law of States, such targets may either be a group of people a Member State provides insufficient details to allow (defined through their relation to an organisation or for a legal analysis of the exact procedure in place on a legal person) or an individual. This is the case in Aus- how signals intelligence is collected.115 First, in Italy, tria, Belgium, Denmark, Finland, France, Italy, Lithuania the relevant articles establishing the intelligence ser- and Slovakia. In some other Member States, such as vice (AISE) do refer in very general terms to the need Greece, the law does not explicitly mention the require- for AISE to collect relevant information for the protec- ment of suspicion-based surveillance and prior identifi- 112 cation of an individual or a group thereof. 114 Denmark, Act No. 604 on the Danish Security and Intelligence Service as amended by Act. No. 1624 of In Denmark, for example, the Security and Intelligence 26 December 2013 (Lov nr. 604 af 12. Juni 2013 om Politiets Efterretningstjeneste (PET), som ændret ved lov nr. 1624 af Service (Politiets Efterretningstjeneste, PET) can carry 26. december 2013), 12 June 2013, Sections 1, 3 and 4. out ‘coercive and investigative measures’ in accordance 115 Laws in Spain and Slovenia serve as further examples. For with the Administration on Justice Act113 where: Spain, see Spain, National Intelligence Centre Act (Ley 11/2002 reguladora del Centro Nacional de Inteligencia), 6 May 2002, Art. 4 (d), read in conjunction with Spain, Organic Law • there are specific grounds for suspicion that informa- Regulating a priori judicial control of the National Intelligence tion is being transferred from/to the subject of the Centre (Ley Orgánica 2/2002 reguladora del control judicial previo del Centro Nacional de Inteligencia), 6 May 2002, Art. 1, coercive measure; which tasks the Spanish intelligence service with obtaining, evaluating and interpreting the traffic of strategic signals in fulfilment of the intelligence objectives assigned to the Service. 111 Cyprus, Draft Law of 2014 (Ο περί της Κυπριακής Υπηρεσίας For Slovenia, see Slovenia, Intelligence and Security Agency Act Πληροφοριών (ΚΥΠ) Νόμος του 2014), submitted to the (Zakon o Slovenski obveščevalno-varnostni agenciji, ZSOVA), House of Representatives on 23 September 2014. 7 April 1999, Art. 21, which allows for the surveillance of 112 Greece, Act 2225/1994 on the protection of freedom of international communication systems, but does not define correspondence and communications and other provisions these. The Information Commissioner challenged this provision (Νόμος 2225/1994 για την προστασία της ελευθερίας before the Slovene Constitutional Court, which rejected the της ανταπόκρισης και άλλες διατάξεις), 18 July 1994, as claim on procedural grounds, stating that the Information amended, Art. 5 (1) in combination with Art. 3 (2). Commissioner may only lodge a claim for constitutional 113 Denmark, Administration of Justice Act, Consolidated Act review if a question of constitutionality arises in relation to No. 1139, (Retsplejeloven, lovbekendtgørelse nr. 1139 af the inspection procedure. See Slovenia, Constitutional Court 24. september 2013), 24 September 2013, Section 754 (a). (Ustavno sodišče), No. U-I-45/08-21, 8 January 2009.

20 Intelligence services and surveillance laws

tion of national interest, but no reference to specific Finally, the French Bill on intelligence122 organised the methods are made.116 However, the director of AISE surveillance of communications made or received described AISE’s communications intelligence (COMINT) abroad (international surveillance), referring to a non- activities to the Italian parliamentary oversight com- public decree prescribing the modalities of its imple- mittee (COPASIR), specifying their legality within the mentation.123 The Constitutional Court, however, found current legal framework, and describing the methods that the legislator did not determine the fundamental and techniques used. During the same hearing, AISE’s rights guarantees that need to be provided to the indi- SIGINT activities were also mentioned.117 viduals, and so declared draft Article L. 854-1 of the Code on Interior Security contrary to the constitution Similarly, in Germany, some of the SIGINT activities that and annulled the specific provision.124 Following this the Federal Intelligence Service (BND) may undertake is court decision and in order to provide a legal basis for not regulated in detail by law, unlike other SIGINT activi- international surveillance, a bill on the surveillance of ties in Germany. The Federal Intelligence Act states that electronic international communications was prepared the BND “shall collect and analyse information required and is under discussion in the French parliament.125 for obtaining foreign intelligence, which is of importance for the foreign and security policy of the Federal The following paragraphs present the legal frameworks Republic of Germany” and that it “may collect, process of the five Member States that are authorised to carry and use the required information, including personal out not only targeted surveillance but also signals intel- data […]”.118 This definition of the BND’s competences ligence. References to systematic access via telecom- provides the legal basis for the German intelligence ser- munication data retention laws are excluded since these vice to perform SIGINT activities abroad between two laws are primarily used for law enforcement purposes foreign countries or within one single foreign country, in their criminal investigation work, which falls outside provided that the intercepted signals have no connec- the scope of this report. tion - besides the actual data processing - with Ger- many. This SIGINT activity is referred to as “open sky” In Germany, Article 10 (2) of the Basic Law (Grundge- (offener Himmel), and, according to various commen- setz) permits restrictions of the inviolability of the pri- tators, takes place outside of any legal framework.119 vacy of correspondence, post and telecommunications. So far however, no judicial decision, either in Germany It states, “Restrictions may be ordered only pursuant or by the ECtHR, has confirmed this assessment. This to a law. If the restriction serves to protect the free surveillance method does not fall within the scope of democratic basic order or the existence or security of the Act on Restricting the Privacy of Correspondence, the Federation or of a Land, the law may provide that Posts and Telecommunications (G 10 Act),120 which was the person affected shall not be informed of the restric- adopted in application of Article 10 (2) of the Basic Law tion and that recourse to the courts shall be replaced by to lay down the specific conditions to restricting pri- a review of the case by agencies and auxiliary agencies vacy of communications. Consequently, this surveil- appointed by the legislature.” lance method is outside the G 10 Commission’s remit (the expert body in charge of overseeing the intelli- The ‘strategic restrictions’ prescribed by the G 10 Act gence services). The Parliamentary Control Panel is the enable the Federal Intelligence Service (Bundesnach- sole body that oversees this surveillance method. The richtendienst, BND) to wiretap international communi- absence of tight control has triggered calls for reform, cations to and from Germany. They are called ‘strategic’ and the matter is being discussed before the NSA Com- because of their original military purpose. In 1994, the mittee of Inquiry (NSA - Untersuchungsauschuss).121 122 France, National Assembly (Assemblée nationale), Bill on intelligence (Projet de loi relatif au renseignement), as adopted 25 June 2015. 123 These international surveillance measures should be distinguished from those prescribed in Art. L 811–5 (former Art. L 241–3) of the Interior Security Code (Code de la 116 Italy, Law No. 124/2007 on the Information System for the sécurité intérieure), as amended, which are not controlled security of the Republic and new rules on State secrets by the French oversight body. See also France, National (Sistema di informazione per la sicurezza della Repubblica Commission for the Control of Security Interceptions e nuova disciplina del segreto), 3 August 2007, Art. 6. (CNCIS) (2015a), p. 125 and following calling for the 117 See Italy, COPASIR (2014), p. 26. abrogation on this article. 118 Germany, Act on the Federal Intelligence Service, 124 France, Constitutional Court (Conseil constitutionnel), Sections 1 (1) and 2 (1). Decision No. 2015–713 DC, 23 July 2015. For an example of 119 See Huber, B. (2013), p. 2575 f.; Heumann, S. and concerns expressed shortly after adoption of the bill, see Wetzling, T. (2014), p. 13. French Data Network (Réseau de données français) et al. 120 Germany, Act on Restricting the Privacy of Correspondence, (2015), p. 69 and following. Posts and Telecommunications (Article 10, G 10 Act) 125 France, National Assembly (Assemblée nationale), Bill on (Gesetz zur Beschränkung des Brief-, Post- und the surveillance of international electronic communications Fernmeldegeheimnisses (Artikel 10, Gesetz G 10)), (proposition de loi relative aux mesures de surveillance 26 June 2001, as amended. des communications électroniques internationales), 121 See Bäcker, M. (2014); Hoffmann-Riem, W. (2014). 1 October 2015.

21 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

BND’s mandate was expanded to include the fight restricted.134 The 2002 Act establishes a clear differ- against crime. The 1994 Combating Crime Act (Ver- ence between cable-bound telecommunications, for brechensbekämpfungsgesetz)126 amended the G 10 Act, which only targeted surveillance can be used, and in particular the grounds on which strategic surveil- non-cable bound (e.g. via satellite and radio waves) lance could be carried out.127 The BND is authorised to telecommunications, for which both targeted and untar- proceed only with the aid of selectors (Suchbegriffe), geted interception is allowed (Article 27 of the Act).135 which serve and are suitable for the investigation of one While the act applies to both the civil and military ser- of the threats listed in the law. The BND sets a list of vices, this report focuses exclusively on the civil intel- either format-related selectors (e.g. telephone number ligence service, the General Intelligence and Security or email) or content-related selectors (e.g. holy war).128 Service (Algemene Inlichtingen - en Veiligheidsdienst, The BND needs to specify the region and the percent- AIVD). AIVD focuses its SIGINT collection on commu- age of the communication channel it wants to monitor. nications intelligence (COMINT), which is the focus of This percentage cannot exceed 20 % of the full tele- this report because it includes analogue (telephone and communication channel capacity.129 In 2013, for exam- telefax) and digital streams, which are transmitted via ple, the BND established a list of 1,643 selectors in the the Internet. AIVD therefore intercepts communication context of internal terrorism to be applied on 906 tel- content and metadata (telephone number, IP addresses, ecommunication channels, of which only 73 turned out time and duration of the call, as well as location).136 The to be useful from an intelligence point of view.130 The Joint Sigint Cyber Unit (JSCU) performs the SIGINT col- selectors should not contain any distinguishing features lection for AIVD. It filters the digital streams based on leading to a targeted telecommunication connection selectors approved by the Minister of the Interior and nor affect the core area of the private sphere. These Kingdom Relations. Analogue communication is not restrictions do not apply to communications outside filtered before it is transmitted to AIVD, because the Germany, unless they involve German citizens.131 The list amount of data is quite small nowadays due to the ever of selectors and the overall request for surveillance is increasing development of digital communications.137 controlled a priori by the G 10 Commission, the German According to Article 27 (2) of the 2002 Act, no permis- oversight body, which decides whether the measures sion is required at the stage of untargeted collection are permissible and necessary.132 The surveillance order and recording. The AIVD seeks the ministers’ approval is valid for a renewable three-month period. before searching the content of the data provided by JSCU. According to AIVD, a search in the metadata from In the Netherlands, Article13 (2) of the constitution SIGINT does not require ministerial approval either. This states that “the privacy of the telephone and tel- approach, while sound according to Dutch law, has been egraph shall not be violated except in the cases laid criticised by the Review Committee, which called for down by an Act of Parliament, by or with the authori- legal reform.138 The search terms can either be targeted sation of those designated for the purpose by an Act based on a name or number139 – rules on targeted sur- of Parliament”.133 The Intelligence and Security Ser- veillance then apply – or on a topic.140 The minister’s vices Act 2002 (2002 Act) sets the conditions under permission is granted for three months renewable for which the right to privacy of communications may be targeted surveillance. The permission is for a maximum of one year for selections based on topics, since this is less privacy invasive. Figures on the number of untargeted operations performed are not published, despite calls for enhanced transparency by the CTIVD.141 126 Germany, Combating Crime Act (Verbrechensbekämpfungsgesetz), 28 October 1994. 127 See ECtHR, Weber and Saravia v. Germany, No. 54934/00, 29 June 2006 for detailed background information and the reasoning underlying the German Constitutional Court’s decision to declare parts of the 1994 Act incompatible with the German Basic Law in its judgement of 14 July 1999; Germany, Federal Constitutional Court (Bundesverfassungsgericht), 1 BvR 2226/94, 14 July 1999. 128 See Huber, B. (2013), p. 2573. 134 The Netherlands, Intelligence and Security 129 Germany, G 10 Act, Section 10 (4). Services Act 2002 (Wet op de inlichtingen- en 130 See Germany, Federal Parliament (Deutscher veiligheidsdiensten 2002), 7 February 2002. Bundestag) (2015), p. 8. 135 For a detailed explanation, including an analysis of 131 Germany, G 10 Act, Section 5 (2). Academia has questioned parliamentary efforts, see The Netherlands, CTIVD (2014), whether this nationality-based legislation is compatible p. 139 and following. with the German constitution and with EU Law. See 136 See The Netherlands, CTIVD (2014), p. 68 and following. Schenke, W.-R. et al. (2014), p. 1402. 137 See Ibid.,p. 69 and following. 132 Germany, G 10 Act, Section 15 (5). 138 See Ibid.,p. 96 and following. 133 The Dutch government has proposed amending the 139 The Netherlands, Intelligence and Security Services Constitution and adapting Article 13 to all forms of Act 2002, Art. 27 (3) a) and b). In these cases, Art. 25 on communications: The Netherlands, Ministry of the Interior targeted surveillance applies. and Kingdom Relations (2014). See also: https://zoek. 140 Ibid., Art. 27 (3) (c). officielebekendmakingen.nl/dossier/33989. 141 See The Netherlands, CTIVD (2015), p. 32.

22 Intelligence services and surveillance laws

In Sweden, Articles 1, 2 and 2 (a) of the Signals Defence necessary, it must be carried out for one of the legiti- Intelligence Act142 mandate a signals intelligence agency mate reasons in Section 5.3. (which in practice is the National Defence Radio Estab- lishment (Försvarets Radio Anstalt)) to monitor and col- The warrant must also include whether the information lect signals intelligence over the airways and by way thought necessary to be obtained could “reasonably of fibre optic cables. The Defence Radio Establishment be obtained by other means”. Such warrants are valid may only intercept wires that cross Sweden’s borders.143 for six months and may be renewed by the Secretary Also, interception may not relate to signals between of State. Though a legal distinction is made between a sender and recipient who are both located in Sweden. external and internal communications (external being If such signals cannot be separated at the time of inter- those where at least one end is overseas, and interception, the recording or register must be destroyed nal being UK-to-UK communications), the incidental as soon as it becomes apparent that such signals have interception of internal communications is allowed been intercepted.144 The Defence Radio Establishment for by Section 5 (6) of RIPA, since making a distinction may not intercept signals intelligence on its own initia- between the two is practically impossible. Sections 15 tive; the government, its offices, the armed forces or its and 16 of RIPA set out the applicable safeguards. GCHQ security service must task it to do so, and the Foreign uses this bulk interception capability to investigate the Intelligence Court must approve such requests. The per- communications of individuals already known to pose mits are issued for up to six months and can be renewed a threat, or to generate new intelligence leads, such as for further six-month periods.145 The National Defence to find terrorist plots, cyber-attacks or other threats Radio Establishment then collects the signals that are to national security.148 According to the ISC, however, transferred to the ‘interaction points’ by the Commu- GCHQ only covers a fraction of internet communica- nication Service Providers (CSPs), and filters them with tions since it does not have the capacity to intercept the use of certain selectors (or search terms) in an auto- all communications.149 mated manner.146 Finally, the French parliament adopted in June 2015 In the United Kingdom, signals intelligence is referred a Law on intelligence (Loi relative au renseignement).150 to under the terminology of “interception of external The Constitutional Court reviewed the constitutionality communications in the course of their transmission by of the bill and confirmed that most of the provisions means of a telecommunication system” in Section 8.5 of were in line with the Constitution.151 The law, which the 2000 Regulation of Investigatory Powers Act (RIPA). amends the Interior Security Code (Code de la sécurité This includes the associated communications data. ‘Tel- intérieure) and other relevant codes, entered into force ecommunication system’ is defined by RIPA as “any on 3 October 2015, with the nomination of the President system (including the apparatus comprised in it) which of the National Commission of Control of the Intelligence exists (whether wholly or partly in the United Kingdom Techniques (CNCTR).152 Among the various intelligence or elsewhere) for the purpose of facilitating the trans- techniques prescribed by law, one is relevant in the mission of communications by any means involving the context of signals intelligence. use of electrical or electro-magnetic energy”.147 The British Intelligence and Security Committee of Parlia- Article L. 851–3 of the Interior Security Code provides ment (ISC) refers to this as ‘bulk interception’. Warrant- for the possibility to oblige telecommunications pro- ing of the interception of such external communications viders and Internet Service Providers (ISP) to set up is done in the terms set out in Section 8.4 of RIPA, which automatic processing, based on predefined param- must be read in conjunction with Sections 5, 15 and eters (generally referred to as algorithms) that could 16 of RIPA. Section 5 states that the Secretary of State detect a terrorist threat. The algorithms do not enable may only issue a warrant if it is necessary and propor- the identification of the users but only collect ‘infor- tionate, and that, for the interception to be considered mation or documents‘ (informations ou documents). The French government referred to these as ‘digital

142 Sweden, Act on Signals Defence Intelligence (2008:717) (Lag om signalspaning i försvarsunderrättelseverksamhet 148 United Kingdom, Intelligence and Security Committee of (2008:717)), 10 July 2008. For the government’s preparatory Parliament (ISC) (2015), p. 25. efforts on the law, see Sweden, Government Bill 149 Ibid., p. 27. 2006/07:46 Processing of Personal Data by the Armed Force 150 France, National Assembly (Assemblée nationale), Law and the National Defence Radio Establishment (Regeringens No. 2015–912 on intelligence (Loi n°2015–912 relative au proposition 2006/07:46, Personuppgiftsbehandling hos relative au renseignement), 24 July 2015. Försvarsmakten och Försvarets radioanstalt). 151 France, Constitutional Court (Conseil constitutionnel), 143 Sweden, Act on Signals Defence Intelligence, Section 2. No. 2015-713 DC, 23 July 2015. 144 Ibid., Section 2 (a). 152 France, Law No. 2015–912 on intelligence, Art. 26; France, 145 Ibid., Section 5 (a) second indent. Decree on the composition of the National Commission of 146 Klamberg, M. (2009); see also, Klamberg, M. (2010). Control of the Intelligence Techniques (Décret relative à la 147 United Kingdom, Regulation of Investigatory Powers composition de la Commission national de contrôle des Act 2000, 1 August 2000, Section 2 (1). techniques de renseignement), 1 October 2015.

23 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

data’ (données informatiques) and connexion data153 conclusion that their current national legal frame- but in fact it seems that these notions are not exactly works need to be reformed. The annual report of the the same.154 For purposes of this research, it should be French Parliamentary Delegation on Intelligence, the understood as ‘metadata’. parliamentary oversight body, linked its assessment of the revelations to the need for overarching intelli- Taking into account the principle of proportionality, the gence reform in France.159 In the United Kingdom, the required authorisation by the prime minister defines post-Snowden inquiry by the Intelligence and Security the technical scope of this intelligence method. The Committee (ISC) also resulted in the conclusion that the National Commission of Control of the Intelligence British legal framework is deserving of reform.160 This Techniques (CNCTR) provides the prime minister with was supported by a report issued by the Independent a non-binding opinion on the algorithms and the param- Reviewer of Terrorism Legislation, who stated that the eters chosen. The CNCTR has continuous access to the Regulation of Investigatory Powers Act, “obscure since gathered intelligence and is informed about any modi- its inception, has been patched up so many times as to fications. It can also make recommendations. The first make it incomprehensible to all but a tiny band of initi- authorisation is provided for two months. The renewal ates. A multitude of alternative powers, some of them request should state the numbers of hits and their rel- without statutory safeguards, confuse the picture fur- evance for the intelligence services. As soon as the ther. This state of affairs is undemocratic, unnecessary automatic processing provides data that can suggest the and – in the long run – intolerable.”161 existence of a terrorist threat, the prime minister, after having received the opinion of the CNCTR, can authorise 1.3.2. Surveillance following the identification of the users. Their data can be ana- a legitimate aim lysed within 60 days and should then be destroyed.155 In this report, the notion of national security is exam- In sum, despite legislative efforts to regulate the work ined in light of the mandate of the intelligence services of intelligence services, the Council of Europe Commis- and the surveillance measures they may carry out. sioner for Human Rights recently concluded that “in many countries, there are few clear, published laws reg- Article 8 (2) of the ECHR states that all interferences ulating the work of these agencies”.156 The lack of clarity with the right to privacy should pursue a legitimate and hence necessary quality of the legal rules govern- aim. It refers in particular to “national security, public ing the work of intelligence services raises fundamental safety or the economic wellbeing of the country”. Arti- rights issues. It has furthermore triggered lawsuits in cle 52 (1) of the EU Charter of Fundamental Rights does a number of Member States.157 The UN Special Rappor- not refer to specific aims, but states that “any limitation teur on the promotion and protection of human rights of the exercise of the rights and freedoms recognised and fundamental freedoms while countering terrorism, by this Charter must […] respect the essence of those stated that bulk access to communications and content rights and freedoms […] and genuinely meet objectives data without prior suspicion “amounts to a systematic of general interest recognised by the Union or protect interference with the right to respect for privacy of the rights and freedom of others.” communications, and requires a corresponding com- pelling justification”.158 The well-established ECtHR case law acknowledges that secret surveillance measures pursue the legitimate aims Though it is too early to assess the full impact of the mentioned in Article 8 (2) of the ECHR, in particular Snowden revelations on legal reforms, post-Snowden ‘national security’. As illustrated in Weber and Saravia inquiries in some Member States indeed led to the v. Germany, the legitimate aim test does not create any major issue in the court’s case law. 153 France, Law No. 2015–912 on intelligence, Explanatory note (exposé des motifs), 19 March 2015. 154 See French Data Network (Réseau de données français) et al. (2015), p. 31 and following. 155 France, Interior Security Code (Code de la sécurité intérieure), Art. L. 851-3. 156 Council of Europe Commissioner of Human Rights (2014), p. 109. 157 See for example: France, Constitutional Court (Conseil constitutionnel), Association French Data Network and Others, Decision 2015–478 QPC, 24 July 2015, confirming the constitutionality of Arts. L. 246-1 to L. 246-5 of the Interior 159 France, Urvoas, J.-J., Parliamentary Delegation on Security Code; United Kingdom, Investigatory Powers Intelligence (2014). Tribunal, Liberty & Others v. the Security Service, SIS, GCHQ, 160 United Kingdom, Intelligence and Security Committee of IPT/13/77/H, 5 December 2014 and 6 February 2015; Poland, Parliament (ISC) (2015). Constitutional Court (Trybunał Konstytucyjny), K 23/11, 161 Anderson, D., Independent Reviewer of Terrorism 30 July 2014. Legislation (2015), p. 8. See also UN, Human Rights 158 UN, Human Rights Council, Emmerson, B. (2014), para. 9. Committee (2015b), pp. 10–11.

24 Intelligence services and surveillance laws

ECtHR case law: a legitimate aim “That mass surveillance technology can contribute to the suppression and prosecu- “The Government argued that the impugned interferenc- tion of acts of terrorism does not provide an es with the secrecy of telecommunications for the vari- adequate human rights law justification for its ous purposes listed [in the G 10 Act], pursued a legitimate use. The fact that something is technically fea- aim. They were necessary, in particular, in the interests of sible, and that it may sometimes yield useful national security, public safety, the economic well-being intelligence, does not provide an adequate of the country, and of the prevention of crime. The ap- human rights law justification for its use.”164 plicants did not comment on this issue.

The Court shares the Government’s view that the aim of The ECtHR has held that it is difficult to precisely define the impugned provisions of the amended G 10 Act was the concept of national security. Yet, even broadly indeed to safeguard national security and/or to prevent defined, and leaving a large margin of appreciation to crime, which are legitimate aims within the meaning of the member states of the Council of Europe, the court Article 8 § 2. It does not, therefore, deem it necessary to assigns to the notion of national security the existence decide whether the further purposes cited by the Gov- ernment were also relevant.” or security of a state; the protection of the democratic constitutional order from terrorism, separatism, or espi- ECtHR, Weber and Saravia v. Germany, No. 54934/00, 29 June 2006, paras. 103–104. onage; and the security of the armed forces. On the other hand, the court has clarified that the concept of national security cannot be based on an interpretation Legitimate aim as such is rarely questioned by the that is unlawful, contrary to common sense or arbi- ECtHR. The scope of the various legitimate aims could, trary. The offence of drug trafficking, for instance, is however, be debated, since the lack of a precise defi- not considered, in any reasonable definition of the term, nition may create situations where concepts such as as falling within the scope of ‘national security’ in the ‘national security’ acquire a scope that is too broad, concrete case of an alien subject to a deportation order. and therefore justify undue restrictions of the right to Moreover, the Court requires the threat to national privacy. security to have some reasonable basis in facts.165

According to the ECtHR, notions like national security, In some EU secondary legislation, ‘national security’ is the protection of which is a primary aim of the intelli- explained as state security, for instance in Article 15 (1) gence services, must therefore comply with the ‘quality of the e-Privacy Directive 2002/58/EC. Moreover, the of law’ requirements, in particular with the require- CJEU in ZZ v Secretary for the Home Department implic- ment of foreseeability/clarity of the law. The need for itly held that the notion of state security as used in a definition in the law is stressed by different actors as EU secondary legislation is equivalent to the notion of a means to preserve the commitment to the rule of law ‘national security’ as used in the national law.166 and accountability of the executive and the national intelligence services.162 FRA research shows that the concept of national security is not used harmoniously across the EU. In some In 1996, experts in the fields of international law, Member States, the term is not used at all. Instead, the national security, and human rights described national terms ‘internal and/or external security’, or ‘security security in the so-called Johannesburg principles as of the state’ are used. In Member States where the “protect[ing] a country’s existence or its territorial term ‘national security’ is used, it may or may not be integrity against the use or threat of force, or its capac- defined. Where ‘national security’ is not defined, how- ity to respond to the use or threat of force, whether ever, the additional tasks assigned to the intelligence from an external source, such as a military threat, or an services resemble those mentioned in other national internal source, such as incitement to violent overthrow legal frameworks under the notions of national security, of the government”.163 state security, or external/internal security.

The UN has also made clear that measures that interfere with the right to privacy need a legitimate aim, with statements such as: 164 UN, Human Rights Council, Emmerson, B. (2014), p. 6 165 ECtHR, Klass and Others v. Germany, No. 5029/71, 6 September 1978, paras. 45–46; ECtHR, Janowiec and Others v. Russia [GC], Nos. 55508/07 and 29520/09, 21 October 2013, paras. 213–214; ECtHR, C.G. and Others v. Bulgaria, No. 1365/07, 24 April 2008, para. 40; 162 Born, H. and Leigh, I. (2005), p. 17; Bigo, D. et al., Policy ECtHR, Iordachi and Others v. Moldova, No. 25198/02, Department C: Citizens’ Rights and Constitutional 10 February 2009, para. 46. See also ECtHR: Research Affairs (2014), pp. 35–38, 67 and 82–83; Sule, S. (2006), Division (2013). p. 236. 166 CJEU, C-300/11, ZZ v. Secretary of the State of Home 163 Article 19 (1996), Principle 2 (a). Department, 4 June 2013, paras. 5, 11, 35, 38 and 54.

25 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

In some cases, the notion of national security was United Kingdom includes in its mandate the preven- inserted into national law under the influence of the tion or detection of serious crime, the economic well- European Convention of Human Rights. This is the case being of the UK, and the purpose of giving effect to in France, for example.167 The French Law on Intelli- an international agreement.171 The Netherlands adds gence refers to the overarching notion of “fundamental the protection of the rule of law and other important interests of the Nation” (intérêts fondamentaux de la state interests.172 Germany lists situations in which its Nation), which is defined in Article 410–1 of the Penal intelligence service may gather signals intelligence: Code. This overarching notion, which clearly includes armed attack, international terrorism, arms prolifera- national security, justifies the implementation of sur- tion, smuggling of narcotics of substantial important in veillance measures in other areas, as well.168 The French the EU, counterfeiting of money undermining the sta- constitutional court considered this aim precise enough bility of the Euro, money laundering, and human traf- and declared it in conformity with the constitution.169 ficking of substantial importance.173

In addition, the scope of the various tasks of the intel- Sweden, on the other hand, does not use the term ligence services, i.e. their mandate, are also not iden- ‘national security’, but rather lists a series of circum- tical across the EU Member States. Aside from more stances permitting it to gather signals intelligence, traditional fields, i.e. protection of national integrity, some of which the law individually identifies as threats sovereignty, or constitutional order, the mandates of to the security of national interests: external military some intelligence services include organised crime and threats, international peacekeeping and humanitar- cybercrime. These terms are not harmoniously defined, ian initiatives, international terrorism or other serious either. There are Member States that narrow down the transnational crime, proliferation of weapons of mass forms of organised crime to those very few cases that destruction, serious external threats to the infrastruc- can clearly be identified as a threat to national or state ture of society, conflicts abroad, foreign intelligence security; others use a much broader catalogue, which is activites against Swedish interests, or a foreign pow- sometimes non-exhaustive. The broader the terms, the er’s actions or intentions of vital importance to Swed- lower the requirement of legal clarity and foreseeabil- ish foreign security or defence policy.174 France adopted ity. In the latter case, the wide spectrum of organised a similar approach, specifying what the notion of crimes may allow for the involvement of the intelligence ‘fundamental interests of the Nation’ encompasses. It services. includes national independence, integrity of the territory and national defence; major interests of foreign The objective of the protection of economic interests is policy, which include the execution of international also part of intelligence services’ mandates in several and European agreements; economic, industrial and Member States’ legislation. This objective is not always scientific major interests for France; terrorism preven- defined, either; sometimes it is qualified as either “vital tion; prevention of acts affecting: the republican form interest” or “crucial interest”. The Venice Commission of government, the reconstitution of dissolved groups highlights that conducting intelligence activities for the and collective violence gravely affecting public peace; purpose of the economic well-being of a state “may prevention of organised crime; and prevention of the result in economic espionage”. 170 The Venice Commission proliferation of weapons of mass destruction.175 identifies three trade areas where intelligence may be legitimate (proliferation of weapons of mass destruction, circumvention of UN/EU sanctions, and major money laundering), and stresses the need for establishing rules prohibiting economic espionage and rules establishing stronger oversight in this area. Some Member States include further objectives, such as national wealth, the corruption of high state officials, or migration.

Of the five Member States that have detailed legislation on signals intelligence, Germany, the Netherlands, and the United Kingdom use the term ‘national security’ as a reason for gathering such intelligence. The 171 United Kingdom, Intelligence Services Act 1994, 26 May 1994, Section 3 (2). 172 The Netherlands, Intelligence and Security Services 167 France, Law No. 2015–912 on intelligence, Explanatory note. Act 2002, Art. 6 (2). See also France, National Commission for the Control of 173 Germany, Act on the Federal Intelligence Service, Security Interceptions (CNCIS) (2015b), p. 120 and following. Sections 1 (1) and 2(1); Germany, G 10 Act, Section 168 France, Interior Security Code, Art. L. 811–3. 5 (1). Section 8 of the G 10 Act also prescribes strategic 169 France, Constitutional Court (Conseil constitutionnel), surveillance in cases of kidnapping. No. 2015-713 DC, 23 July 2015. 174 Sweden, Act on Signals Defence Intelligence. 170 Venice Commission (2015), p. 20. 175 France, Interior Security Code, Art. L. 811–3.

26 Intelligence services and surveillance laws

FRA key findings

Objective and structure of Legal regulation of surveillance intelligence services The line between tasks of law enforcement and those The main goal of intelligence services in democratic of intelligence services is sometimes blurred. Every societies is to protect national security and the funda- expansion of tasks must be properly justified as nec- mental values of an open society by using secret intel- essary for safeguarding the state, which is the under- ligence tools. The organisation of the intelligence lying reason for establishing intelligence services. community in individual EU Member States is closely linked to country-specific historical developments, ■■ Most Member States’ legal frameworks only and does not necessarily abide by fundamental rights regulate targeted surveillance, either of individu- standards. As a result, intelligence services are set up als or defined groups/organisations. In addition in extremely diverse manners across the EU. In some to addressing targeted surveillance, five Member Member States, two intelligence services carry out the States have enacted detailed laws on the condi- work, while in others, five or six bodies are in charge. tions for using signals intelligence.

■■ Almost all EU Member States have established at ■■ Looking at applicable human rights standards, least two different intelligence services bodies, national legal frameworks lack clear definitions one for civil and one for military matters; the lat- indicating the categories of persons and scope ter are not covered in this report. Civil intelligence of activities that may be subject to intelligence services are generally subordinate to interior min- collection. istries, and sometimes also to the prime minister or president. ■■ Intelligence services are regulated by law in the vast majority of Member States (26 out of 28). ■■ In some Member States, the civil services are fur- Legal provisions regulate the organisation and ther sub-divided into one service with a domes- functioning of the countries’ intelligence services. tic mandate and one with a foreign mandate. One Member State’s constitution prohibits its Moreover, some Member States have entrusted intelligence service from undertaking surveil- intelligence measures to units specialised in lance. Another Member State is in the process a particular threat, such as organised crime, cor- of enacting legislation that will regulate its intel- ruption or the fight against terrorism. ligence services’ surveillance practices.

Protecting national security ■■ FRA analysis shows that the legal basis which frames the mandates and powers of the national FRA’s research examines the notion of ‘national intelligence services in EU Member States range security’ in light of the intelligence services’ man- from one unique legal act governing the organisa- date and the surveillance measures they may carry tion and means of the national services, to com- out. Again the findings reveal great diversity among plex frameworks consisting of several laws and EU Member States. ordinances regulating specific aspects of their mandate, organisation, competences or means. ■■ The primary aim of the intelligence services is to protect national security, but the concept is ■■ Most Member States organise the work of the not harmonised across EU Member States. The intelligence services in two laws: one on the man- scope of national security is rarely defined, and date and organisation of the service, and another sometimes similar terms are used. Other Member on means of action and the conditions for using States do not use the term ‘national security’ at them. all and refer instead to ‘internal security’ and/or ‘external security’, or to the ‘security of the state’. ■■ Most EU Member States (23 out of 28) have separated intelligence services from law enforcement ■■ The scope of the various tasks of intelligence authorities. Two Member States have recently services (i.e. their mandate) is not identical across moved away from systems in which the intelli- EU Member States. In addition to the more tradi- gence services belonged to the police or similar tional fields, the mandates of some intelligence law enforcement authorities. services include organised crime and cybercrime. These terms are not harmoniously defined.

2 Oversight of intelligence services

This chapter outlines how oversight mechanisms are effectiveness. He recommended this be done periodi- established in the EU Member States. It looks at the cally to ensure they remain efficient over time.179 accountability mechanisms imposed by law on the intelligence services. Future FRA fieldwork research will pro- “There is no Council of Europe member state whose vide data on how the legal framework is implemented system of oversight comports with all the internationally or in practice. regionally recognised principles and good practices […] and […] there is no one best approach to organising a system of The main goal of intelligence services is to protect the security service oversight.” fundamental values of an (open) society using secret Council of Europe Commissioner for Human Rights (2015), p. 7 tools, and, as Born and Leigh put it, “It is because of this paradox (defence of an open society by secre- The general consensus, taken from the Venice Commis- tive means), that the security and intelligence services sion report180 and academic studies,181 is that oversight should be the object of democratic accountability and should be a combination of: civilian control”.176 • executive control; Oversight has thus been defined as “a means of ensur- • parliamentary oversight; ing public accountability for the decisions and actions • judicial review; and of security and intelligence agencies.”177 Oversight is • expert bodies. aimed at 1) avoiding abuse of power, 2) legitimising the exercise of intrusive powers, and 3) achieving better Judicial review, which mainly occurs as a result of a law- outcomes after an evaluation of specific actions.178 suit, is covered under Chapter 3 of this report. Judicial involvement in oversight of intelligence services occurs The diversity among EU Member States in terms of poli- via warranting and monitoring of surveillance meas- tics, history, and legal systems has resulted in a vari- ures. However, since these bodies are not exclusively ety of bodies that oversee the intelligence services. judicial, the broader category of approval and review Additionally, a great assortment of powers is granted of surveillance measures has been used in this report. to these various oversight bodies, including the extent The role of the ombudspersons in the oversight of intel- to which they may exercise these powers. Though rec- ligence services is covered in Chapter 3, since it is mainly ognising that Council of Europe member states (which a complaints-handling body. include the EU-28) have made great strides in establishing external oversight of their intelligence services, By giving diverse powers to an array of bodies that the Council of Europe Commissioner for Human Rights should complement each other, the maximum level of pointed out that few countries have reviewed their

179 Council of Europe Commissioner for Human Rights (2015), p. 10. 180 Venice Commission (2007). 181 See Born, H. and Leigh, I. (2005), p. 15; 176 Born, H. and Leigh, I. (2005), p. 16. Chesterman, S. (2011); Born, H. and Wills, A. (eds.) (2012); 177 Born, H. et al. (eds.) (2005), p. 7. Institute for Information Law (2015); Dewost, J.-L.et 178 See Chesterman, S. (2011), pp. 208 and 222. al. (2015), pp. 12 and following.

29 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

oversight is guaranteed. Their oversight, however, is of legislative processes.185 Consequently, it is important only effective if they are independent and granted suf- that their roles be supported so that they can contribute ficient powers and resources, both human and financial, to the oversight of intelligence matters. to fulfil their mandate. As stated by the CoE Com- missioner for Human Rights, “The adequacy of such Figure 2 illustrates the points made in this introduction. resources should be kept under review and consideration should be given as to whether increases in secu- Control of the services, however, cannot be limited to rity service budgets necessitate parallel increases in external authorities. Intelligence services have a clear overseers’ budgets”.182 As outlined in the UN good prac- responsibility to act within the law, and the law itself tices, the UN Special Rapporteur on the promotion and can state such a responsibility. Though not strictly ‘over- protection of human rights and fundamental freedoms sight’, since that implies a certain measure of independ- while countering terrorism also supports this approach. ence, internal control can be achieved by establishing a clear set of internal administrative policies that can guide staff. These are usually not legally established. UN good practices on oversight institutions Practice 6. Intelligence services are overseen by a combi- The CoE Commissioner for Human Rights has highlighted nation of internal, executive, parliamentary, judicial and the importance of internal control. specialised oversight institutions whose mandates and powers are based on publicly available law. An effec- “It is individual members of security services that play tive system of intelligence oversight includes at least one the most significant role in ensuring that security service civilian institution independent of both the intelligence activity is human rights compliant and accountable. External services and the executive. The combined remit of over- oversight can achieve little if the security services do not sight institutions covers all aspects of the work of intel- have an internal culture and members of staff that respect ligence services, including their compliance with the law; human rights.” the effectiveness and efficiency of their activities; their Council of Europe Commissioner for Human Rights (2015), p. 8 finances; and their administrative practices.

Practice 7. Oversight institutions have the power, re- A number of Member States include such internal con- sources and expertise to initiate and conduct their own trols. Sweden, for example, has established data rep- investigations and have full and unhindered access to the resentatives in charge of ensuring that personal data information, officials and installations necessary to fulfil is processed lawfully within the signals intelligence their mandates. Oversight institutions receive the full co- agency (the Defence Radio Establishment). They are operation of intelligence services and law enforcement authorities in hearing witnesses and obtaining documen- appointed by the service itself and report to the Data 186 tation and other evidence. Inspection Board. The Defence Radio Establishment also has a National Integrity Protection Council, com- UN, Human Rights Council, Scheinin, M. (2010) posed of three members, all appointed by the government.187 The Integrity Protection Council monitors the To achieve the maximum level of protection, in addition internal activities of the service. The Council reports to the four layers of legally-based oversight mentioned its findings to the Defence Radio Establishment and, if above, the media and civil society organisations also necessary, to the State Defence Intelligence Commis- play an important role. Their impact will be assessed sion (Statens Inspektion för Försvarsunderrättelseverk- through additional fieldwork research, but the media samhet, SIUN),188 which is one of the oversight bodies. unquestionably played a crucial role in the Snowden revelations by presenting to the broader public the existence and functioning of large-scale surveillance programmes. Furthermore, NGOs have launched lawsuits in various EU Member States, promoted reforms,183 185 See, for example, ECtHR, Youth initiative for human rights v. developed international principles applicable to over- Serbia, No. 48135/06, 25 June 2013. The Serbian intelligence 184 agency denied the applicant NGO information on the sight of intelligence services, and act as watchdogs number of people subjected to electronic surveillance by the agency, despite an Information Commissioner order supporting the NGO’s request. The ECtHR found a violation of freedom of expression, acknowledging the NGO’s role in 182 Council of Europe Commissioner for Human Rights (2015), a debate of public interest (para. 24). p. 14. 186 Sweden, Act on Processing of Personal Data in the 183 See, for example, Löning, M. (2015); Brown, I. et al. (2015). National Defence Radio Establishment (2007:259) (Lag om 184 See Forcese, C. and LaViolette, N. (2006), Ottawa Principles behandling av personuppgifter i Försvaretsradioanstalts on Anti-terrorism and Human Rights; Open Society Justice försvarsunderrättelse-och utvecklingsverksamhet Initiative (2013), Global Principles on National Security and (2007:259)), 10 May 2007, Chapter 4. the Right to Information (Tshwane Principles); and Access 187 Sweden, Government Regulation SFS 2007:937, 15 et al. (2014), International Principles on the Application of November 2007, Art. 8a and 8b. Human Rights to Communications Surveillance (Necessary 188 Sweden, Signal Intelligence Act, 2008:717, 10 July 2008, and Proportionate Principles). Art. 11.

30 Oversight of intelligence services

Figure 2: Intelligence services’ accountability mechanisms

EXECUTIVE INTERNATIONAL CONTROL ECtHR MEDIA

NGOs

ACCOUNTABILITY

of intelligence services

EXPERT PARLIAMENTARY BODIES

JUDICIAL

ex ante & ex post

Poland, Germany and the United Kingdom have simi- As the Snowden revelations have shown, staff may lar internal controls. Poland employs an “agent for the want to raise concerns about the legality of activities control of personal data processing” within the Central witnessed within the agency. This can be achieved by Anti-Corruption Bureau.189 In Germany, a staff member means of internal controls and through whistleblower within the Federal Intelligence Service, qualified to hold provisions, which allow staff to feel secure when doing judicial office, supervises the deletion of irrelevant data so. The Dutch bill and French law on intelligence, for and assesses regularly whether personal data kept are example, establish whistleblower protection.193 In indeed necessary. For the purposes of oversight and France, members of the intelligence services who come control, this data is stored for one year as log-files. across facts that are in violation of the intelligence law Similar requirements apply to targeted and to strate- can address the National Commission for Monitoring of gic surveillance.190 The Internal Compliance Team within Intelligence Techniques (CNCTR), which can then bring the United Kingdom’s GCHQ carries out ex-post, inter- the case before the Council of State and inform the nal and random audit checks. Its IT Security Team also prime minister.194 In Lithuania, intelligence officials may conducts technical audits.191 The results of both are pro- address the Parliamentary Committee on National Secu- vided to the Interception of Communications Commis- rity and Defence.195 sioner when s/he carries out inspections. Breaches in security are also reported to the Commissioner after Intelligence services have begun to publish reports they occur, such as the case of an analyst suspended related to their activities. These, as expected, do not from duty on discovery of illegitimate searches.192

193 The Netherlands, Draft law on the Intelligence and Security 189 Poland, Act on Central Anti-Corruption Bureau (Ustawa Services 20XX, Arts. 114–120. o Centralnym Biurze Antykorupcyjnym), 9 June 2006, 194 France, Interior Security Code, Art. L. 861–3. See also Art. 22 (b). Foegle, J.-P. (2015). 190 Germany, G 10 Act, Sections 4, 6 (1) and Section 8 (4). 195 Lithuania, Law of the Republic of Lithuania on Intelligence 191 United Kingdom, IOCCO (2015), p. 26. (Lietuvos Respublikos žvalgybos įstatymas), No. XI-2289, 192 Ibid., p. 40. 17 October 2012, as amended, Art. 21 (5).

31 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

include sensitive information, but constitute a step Bulgaria,199 Croatia,200 Italy,201 and Portugal202 have simi- towards making their role more transparent and lar bodies. In France, the prime minister may also hold accountable to citizens. In Croatia, for instance, the the services accountable via the Inspectorate of Intel- Security and Intelligence Agency (SOA) (Sigurnosno- ligence Services, whose members s/he may appoint obavještajna agencija) published a report on its activi- from among the personnel of existing inspectorates. ties for the first time in 2014, and invited civil society This body is in charge of monitoring, auditing, research- organisations to give feedback.196 ing, consulting, and assessing the services that make up the French intelligence community, which also reports back to the prime minister.203 2.1. Executive control In Poland, the prime minister appoints and dismisses L’autorité politique « […] entretient des relations complexes the heads of the Polish intelligence services. S/he is in avec ‘ses’ services, dont elle est, tour à tour, le responsable, charge of approving their intelligence objectives and le contrôleur, le gardien et le protecteur. » has the most far-reaching competences in terms of The political authority “[…] has complex relations with oversight of the intelligence services within the coun- ‘its’ services, it is, in turn, the manager, the controller, try. However, the Supreme Audit Office found that his/ the guardian and the protector.” – FRA translation her oversight lacks efficacy, since s/he does not have Cousseran, J.-C. and Hayez, P. (2015), p. 27 access to the internal procedures of the intelligence services. The information given by the services both The executive branch can control intelligence services as to the content and the means by which intelligence in a variety of ways: by establishing their policies, pri- is collected cannot therefore be verified.204 orities or guidelines; by nominating and/or appointing the service’s senior management; by formulating the Members of the executive other than the president or budget that parliament will ultimately vote on; or by prime minister may also exercise control over the intel- approving cooperation with other services. The exec- ligence services. This is the case in Greece, where the utive also plays a crucial role in authorising surveil- National Intelligence Service is “under the authority of lance measures in some Member States. This power the Minister of Citizen Protection”.205 will be addressed in Section 3.3. Examples from Member States illustrate the variety of functions played by The executive plays vastly different roles in the five the executive. Member States that have detailed legislation on signals intelligence. In Sweden, the Defence Radio Estab- Figure 3 illustrates the main ways the executive exer- lishment may not initiate surveillance on its own but cises control over the intelligence services across the must rather act on assignment from the government EU-28. Slovenia197 and Cyprus are two Member States (or from other authorities, such as the armed forces, whose heads of intelligence services are nominated Security Service or National Operations Depart- and/or appointed by the executive. The Cypriot CIS is ment of the Police Authority).206 The government is directly accountable to the president of the republic to also responsible for appointing the members of most the extent that when it comes to CIS-related issues, the of the supervisory authorities: the board of the Swedish parliament deals with the presidency itself.

In France, a National Intelligence Council, chaired by 199 Bozhilov, N. (2007), p. 89. the president of the republic, is in charge of ensuring 200 Croatia, Act on the Security Intelligence System of the the strategic guidance of the intelligence services and Republic of Croatia (Zakon o sigurnosno-obavještajnom establishing the planning of their human and technical sustavu Republike Hrvatske), Official Gazette Narodne( novine) Nos. 79/06 and 105/06, 30 June 2006, Art. 1 (2). resources. The council comprises the prime minister, 201 Italy, Law No. 124/2007 on the Information System for the relevant ministers, the heads of the specialised intel- security of the Republic and new rules on State secrets, ligence services and the National Intelligence coordi- Art. 5. 202 Portugal, Framework Law 30/84 on the Intelligence System nator, who is the president of the republic’s advisor of the Portuguese Republic (Lei Quadro do Sistema de and is responsible for coordinating the activities of the Informações da República Portuguesa), 5 September 1984, intelligence services and ensuring their cooperation.198 as amended, Art. 18. 203 France, Decree No. 2014–833 on the Inspectorate of intelligence services (Décret n°2014–833 relatif à l’inspection des services de renseignement), 24 July 2014. 204 The full content of the report is confidential. See Poland, Supreme Audit Office Naczelna( Izba Kontroli) (2014). 205 Greece, Presidential Decree 189/2009 on determination and redistribution of competences of the Ministries (Προεδρικό 196 Croatia, Security and Intelligence Agency (Sigurnosno- Διάταγμα 189/2009 Καθορισμός και Ανακατανομή obavještajna agencija) (2014). αρμοδιοτήτων των Υπουργείων), 5 November 2009 197 Slovenia, Intelligence and Security Agency Act, Art. 4. (O.G. A 221/5.11.2009), Art. 2, 3rd indent. 198 France, Defence Code, Art. R 1122–6, R 1122–7 and R 1122–8. 206 Sweden, Act on Signals Defence Intelligence, Section 4.

32 Oversight of intelligence services

Figure 3: Forms of control exercised over the intelligence services by the executive across the EU-28

Executive

President/Prime Minister Ministers

Appointing/ Appointing Issuing Tasking the dismissing the Approving Approving members instructions, intelligence heads of the surveillance surveillance of oversight deﬁning service intelligence measures measures bodies priorities, etc. services

Source: FRA (2015)

Defence Intelligence Commission,207 privacy protection body, the CNCTR. The relevant ministers seek the prime officers (who monitor the individual’s interest in cases minister’s authorisation by providing a detailed justifi- brought before the Foreign Intelligence Court),208 mem- cation for the surveillance measure.216 The emergency bers of the Foreign Intelligence Court,209 the Privacy Pro- procedure enabling the prime minister to authorise tection Council,210 and the Chancellor of Justice.211 In its a surveillance measure before receiving the CNCTR assessment of the Swedish law on Signals Intelligence, opinion is not permitted in the context of signals the UN’s Human Rights Committee remarked that the intelligence.217 law provides the executive with wide powers of surveillance in respect of electronic communications, stat- In Germany, the federal chancellery is in charge of ing that “the State party should take all appropriate supervising and coordinating the work of the intelli- measures to ensure that the gathering, storage and gence services. It defines the work and intelligence use of personal data not be subject to any abuses, not priorities of the intelligence service (BND).218 The Min- be used for purposes contrary to the Covenant, and be istry of the Interior also plays a role in accepting both consistent with obligations under article 17 of the Cov- targeted and strategic surveillance requests. Upon enant. To that effect, the State party should guarantee a request by the head of the intelligence service, the that the processing and gathering of information be ministry studies the merit of the interception order, subject to review and supervision by an independent puts any favourable decision in writing, and forwards body with the necessary guarantees of impartiality and it to the G 10 Commission, which is in charge of its final effectiveness”.212 approval. The Ministry of the Interior may also authorise surveillance in urgent cases, but the authorisation In the United Kingdom, secretaries of state generally is subject to review by the G 10 Commission.219 There authorise surveillance measures,213 while the prime are, therefore, a series of checks and balances in place. minister plays an important role by appointing the two Commissioners in charge of overseeing the intelligence In the Netherlands, on the other hand, executive con- services,214 as well as nominating the members of the trol manifests in the Minister of Interior, who, together Intelligence and Security Committee of Parliament.215 with the Minister of Defence and the minister of general affairs (the Prime Minister), is in charge of nominat- In France, the prime minister approves all surveillance ing the coordinator for the intelligence service (AIVD). measures after receiving an opinion of the oversight The prime minister and the Minister of General Affairs, in accordance with other relevant ministers, instruct the coordinator.220 The Minister of Interior then reports 207 Ibid., Section 10. to parliament biannually regarding the work of AIVD. 208 Ibid., Section 6. 209 Ibid., Section 2. Though the work of the executive in implementing the 210 Ibid., Section 11. 211 Sweden, The Chancellor of Justice (Justistiskanslern, JK), www.jk.se/. 216 France, Interior Security Code, Art. L. 821–1 and Art. L. 821–2. 212 UN, Human Rights Committee (2015c). 217 Ibid., Art. L. 821-5 and Art. L. 851–3. 213 United Kingdom, Regulation of Investigatory Powers Act 218 Germany, Act on the Federal Intelligence Service, Sections 1 2000, Section 7 (1) (a). and 12. 214 Ibid., Sections 57 (1) and 59 (1). 219 Germany, G 10 Act, Section 15 (6). 215 United Kingdom, Justice and Security Act 2013, 25 April 2013, 220 The Netherlands, Intelligence and Security Services Section 1 (5). Act 2002, Arts. 1 and 4.

33 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

Intelligence and Security Services Act is subject to over- Expert collaboration is indispensable. Parliamentari- sight by the Dutch expert body, this is not done to the ans cannot make correct legal assessments if these are same extent as in Germany. The Review Committee based on wrong assumptions of how technology works. on the Intelligence and Security Services may request This would prevent effective oversight, hence the need information and the minister’s cooperation, and can of special arrangements in law to ensure proper sup- give the minister unsolicited advice.221 port or interaction between experts and members of parliament. Care should be taken, however, to ensure that executive control does not displace that exercised by other, Except for Ireland, Malta, Finland and Portugal, Member equally necessary oversight bodies. There should also States have parliamentary committees that deal with be a clear separation of powers between those involved, the intelligence services. The powers granted to them, since the aim “is that security and intelligence agen- however, vary.228 Cyprus, Greece and Sweden have not cies should be insulated from political abuse without set up specific parliamentary committees, but rather being isolated from executive governance”.222 The fol- rely on standing committees with broader remits. lowing sections will show that a number of EU Member States do not provide their external oversight bodies 2.2.1. Mandate with broad powers, backed by effective independence and means. They therefore rely heavily on executive “In order to enjoy legitimacy and command trust it is vital control. As Born and Wills have noted, the executive that parliamentary oversight bodies in this area have a broad plays an intrinsic role and should always be informed mandate, are appointed by parliament itself and represent about the work of the services. They further argue that a cross-section of political parties”. it may not have a strong interest in revealing failures Born, H. and Leigh, I. (2005), p. 85 within the intelligence services when they occur due to the potential political cost,223 which is why oversight The different parliamentary committees across the must include, but not be restricted to, the executive. Member States have varying mandates. Their powers can include overseeing the policies, administration, budget and expenditure of the intelligence services; 2.2. Parliamentary oversight receiving periodical reports from the services themselves or from the members of the executive that over- Parliamentary oversight is very important because of see them; and inspecting sensitive documents and parliament’s “supreme responsibility to hold the gov- records and the premises of the intelligence services. ernment accountable”224 and may be done in a variety Some may also receive complaints from individuals. of ways. Parliament, as the lawmaker, is responsible for Some Member States have set up one parliamentary enacting clear, accessible legislation and establishing committee to deal with the various security and intel- the intelligence services and their organisation, special ligence services, whereas others have created various powers and limitations, or, in its stead, to review the committees to deal with the services individually. The drafts submitted by the executive. It also approves the former is recommended by the Venice Commission, intelligence service’s budget and should play a strong since it allows the committee to carry out more far- role in scrutinising whether their operations are in line reaching oversight and to “cross agency boundaries”.229 with the laws they set out. However, as stated by the Council of Europe Commissioner for Human Rights, “[T] Table 1 categorises the various parliamentary com- he nature of these bodies means that most are not in mittees in the EU Member States according to their a position to undertake regular, detailed oversight of powers. For Member States that have more than one operational activities including the collection, exchange committee in charge of overseeing the intelligence ser- and use of personal data”.225 The politicisation of over- vices, the committee with the broadest powers is rep- sight committees,226 and the potential lack of lawmak- resented. The table differentiates between essential ers’ technical competence regarding highly complex and enhanced powers. This categorisation is intended information and communications technology matters to facilitate the comparative analysis, and is not an and the use of new technologies as applied to surveil- assessment of the efficiency of the oversight carried lance activities227 have been raised as further hurdles. out. These powers are categorised according to establishment in law, not in practice. The latter will be evaluated during the fieldwork phase. 221 Ibid., Art. 64. 222 Born, H. and Leigh, I. (2005), p. 13. 223 Born, H. and Wills, A. (eds.) (2012), p. 10. 224 Born, H. (2003), p. 36. 225 Council of Europe Commissioner for Human Rights (2015), p. 42. 228 See Wills, A., et al., Policy Department C: Citizens’ Rights 226 Ibid., p. 46. and Constitutional Affairs (2011). 227 Chesterman, S. (2011), p. 80, Urvoas, J.-J. (2015), p 40. 229 Venice Commission (2007), p. 33.

34 Oversight of intelligence services

• Essential powers power to issue binding decisions; and investigate any • has competence overseeing the services’ budget complaints made against the intelligence services.232 and expenditure; • may receive reports from the intelligence services In Luxembourg, on the other hand, the Parliamentary and/or the executive and report to parliament; Control Commission has the power to conduct checks on • may usually ask the intelligence services and/ specific issues. At the end of each review, the commis- or the executive to provide the committee with sion then files a confidential report that includes find- information. ings, conclusions and recommendations to its members, the prime minister, and the Director of the Intelligence. • Enhanced powers has essential powers that have This may also be requested by the prime minister. The been enhanced by: committee is also informed every six months of sur- • the power to receive complaints/initiate inves- veillance measures of communications ordered by the tigations on its own initiative, and the power to prime minister.233 subsequently investigate (power to inspect premises and/or access classified information), and The Belgian Monitoring Committee of the Chamber of issue recommendations or binding decisions; or Representatives responsible for monitoring the Stand- • to be involved in the authorisation process of sur- ing Committee P (Standing Police Monitoring Commit- veillance measures. tee) and the Standing Committee I (Standing Intelligence Agencies Review Committee), is unique in that it does A select few parliamentary committees have been not deal with the intelligence services themselves but granted extensive powers that go beyond the more rather supervises the expert bodies that oversee the traditional role of parliament as an overseer. Among police and intelligence services. It can also instruct its other powers, for instance, Hungary’s parliamentary Standing Committee I to investigate the intelligence committee may receive complaints on illegal activity of services, to issue advice on legislation and to analyse the intelligence services. The committee has the power the reports the Standing Committee submits to it.234 to carry out investigations, may inspect the registers and documents of the services, and hear their staff. Parliamentary committees with more traditional It then forwards its position to the minister so s/he powers, such as receiving reports, giving opinions on can initiate an examination of liability.230 Romania has draft laws, making recommendations, or evaluating two committees for defence, public order, and national candidates for heads of intelligence services, exist in security (one of the Senate, the other of the Chamber of Deputies), and two Joint Permanent Commissions of the Senate and the Chamber of Deputies for the Exercise of Parliamentary Control over the activity of the Roma- nian Intelligence Service, and over the External Intel- ligence Service. The committees may request reports, information and documents from the security agencies; may conduct investigations and submit reports to the parliament,231 whereas the Joint Commissions also monitor the activities of the intelligence services; have the 232 Romania, Decision No. 30/1993 of the Romanian Parliament concerning the organization and functioning of The Joint Permanent Commission of the Senate and the Chamber of Deputies for the Exercise of Parliamentary Control over the activity of the Romanian Intelligence Service (Hotararea nr. 30/1993 a Parlamentului Romaniei privind organizarea şi funcţionarea Comisiei comune permanente a Camerei Deputaţilor şi Senatului pentru exercitarea controlului parlamentar asupra activităţii Serviciului Roman de Informaţii), 23 June 1993, Art. 5 (a), (b) and (c); Romania, Law No. 1/1998 concerning the organisation and functioning 230 Hungary, Act CXXV of 1995 on the National Security of the External Intelligence Service (Legea nr. 1/1998 Services (A nemzetbiztonsági szolgálatokról szóló 1995. privind organizarea si functionarea Serviciului de Informatii Évi CXXV. törvény), 28 December 1995, as amended, Externe), 6 January 1998, Art. 6 (a), (e) and (f). Section 14 (4). 233 Luxembourg, Act of 15 June 2004 on the organisation of 231 Romania, Decision No. 28/2005 of the Romanian the State Intelligence Service (Loi du 15 juin 2004 portant Senate concerning the regulation for the functioning organisation du Service de Renseignement de l’Etat), of the Romanian Senate (Hotărârea nr. 28/2005 privind 15 June 2004, as amended, Art. 15. Regulamentul Senatului), 24 October 2005, Art. 67 (b) and 234 Belgium, Organic Law on the control of police and (c); Romania, Decision no. 8/1994 of the Romanian Chamber intelligence services and the Coordination Unit for Threat of Deputies concerning the regulation of the functioning Assessment (Loi organique du contrôle des services de of the Chamber of Deputies (Hotărârea nr. 8/1994 privind police et de renseignement et de l’Organe de coordination Regulamentul Camerei Deputaţilor), 24 February 1994, pour l’analyse de la menace), 18 July 1991, Art. 32, 33 and Art. 61. 35 (2). See also, Belgium, Standing Committee I (2014), p. XV.

35 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

Table 1: Categories of powers exercised by the parliamentary committees as established in law

Member State Essential powers Enhanced powers AT X BE X BG X CY X CZ X DE X DK X EE X EL X ES X FI FR X HR X HU X IE IT X LT X LU X LV X MT NL X PL X PT RO X SE X SI X SK X UK X

Note: n Finland, Ireland, Malta and Portugal do not have parliamentary committees that deal with intelligence services. Source: FRA, 2015

Latvia,235 Poland,236 Estonia237 and Austria.238 The Czech of the service entails illegal limitations on the rights parliamentary committee for the Control of the Security and freedoms of individuals (or classified information Information Service, for instance, possesses no investi- has been disclosed). It cannot, however, access the files gative powers. It receives reports from the service and itself. If it establishes that there has been a breach of can request information where it believes the activity law, it must inform the appropriate minister, head of the service, and a prosecutor.239 235 Latvia, Law on State Security Institutions (Valsts drošības iestāžu likums), 19 May 1994, Section 25. The powers granted to some parliamentary commit- 236 Poland, Resolution of the Polish Sejm on Polish Sejm Rules of Procedure (Uchwała Sejmu Rzeczypospolitej Polskiej tees, are limited, which makes fulfilling their mandate Regulamin Sejmu Rzeczypospolitej Polskiej), 30 July 1992, difficult. The Lithuanian Parliamentary Committee Art. 140. on National Security and Defence, for instance, may 237 Estonia, Security Authorities Act (Julgeolekuasutuste seadus), 1 March 2001, Section 36; Estonia, Riigikogu Rules receive complaints from the public, but does not have of Procedure and Internal Rules Act (Riigikogu kodu- ja the power to carry out inspections or audits, and so töökorra seadus), 17 March 2003, Section 22. 238 Austria, Rule of Procedure Act 1975 (Geschäftsordnungsgesetz 1975), 4 July 1975, as amended, 239 Czech Republic, Security Information Service Act (Zákon Section 32 (b). o Bezpečnostní informační službě), 7 July 1994, Art. 19.

36 Oversight of intelligence services

cannot resolve the complaint with an adequate investi- The results of such investigations are submitted to the gation.240 Without access to classified documents, over- committee. sight bodies rely on the data provided to them by the executive or the services themselves. This does not Other parliamentary committees may hold hearings with allow for independence or effective oversight. In agree- members of the executive or intelligence services, such ment with this, the Council of Europe Commissioner for as in France,245 Greece,246 Italy247 or Croatia,248 or carry out Human Rights has recommended that oversight bodies on-site oversight, such as in Slovenia249 and Croatia.250 have access to all the information necessary to fulfil their mandate, regardless of its level of classification.241 In general, intelligence services’ budgets are controlled by parliament, giving parliamentarians substantial lev- The parliamentary committees of other Member States erage. A great majority of oversight parliamentary com- focus more on the executive. This is the case, for exam- mittees have a say on the appropriation of funding. ple, in Denmark and Estonia, as they receive reports Germany, exceptionally, has a separate parliamentary from the government on the work of the intelligence committee in charge of the budget – the Trust Panel services. The Danish Folketing’s Parliamentary Control (Vertrauensgremium), which also decides on invest- Committee can issue statements to the government, ment in surveillance technologies. One of its members but they are non-binding.242 The Estonian Special Com- can participate in the meetings of the Control Panel and mittee on Oversight of the Security Authorities can refer one of the members of the Control Panel participates offenses to the investigative body or the Chancellor in the deliberations of the Trust Panel. 251 of Justice and has other powers, such as the right to summon persons and require documents for examina- Among the five Member States that have detailed leg- tion.243 Cyprus’ House of Representatives deals directly islation on signals intelligence (France, Germany, the with the president. This is due to the country’s unique Netherlands, Sweden and the United Kingdom), the situation: there is no law regulating CIS’ functioning, German Parliamentary Control Panel, which is pre- meaning it is not clear whether CIS can be considered scribed by Article 45 (d) of the German Basic Law a public service, and therefore subject to scrutiny by any (Grundgesetz), i.e. constitution, was granted the broad- of the existing parliamentary committees. The House est powers of oversight over its intelligence services. of Representatives has not established a special par- It is tasked with supervising the three intelligence ser- liamentary committee to oversee the intelligence services and is responsible for approving important aspects vices, and itself carries out very limited oversight. of the strategic surveillance the services may carry out.252 It receives biannual reports from the Federal Min- Even parliamentary committees that are granted essen- istry of the Interior regarding the implementation of the tial powers vary considerably. The Italian parliamentary G 10 Act, which provides the legal basis for the strategic Committee for the Security of the Republic (COPASIR), surveillance. The control panel has the right to request for instance, has quite different responsibilities. The information from the federal intelligence authorities, reporting obligations of the intelligence services are to inspect their premises and to commission reports quite broad and cover aspects such as the requests for by external experts. It reports twice during the legis- telephone-tapping made by the services, or cases in which the services claim it is necessary to classify cer- 245 France, Ordinance No. 58-1100 on the functioning of the tain information as a state secret. 244 It may also inspect parliamentary assemblies (Ordonnance n°58-1100 relative the offices of the Information System, the complex set au fonctionnement des assemblées parlementaires), 17 November 1958, as amended, Art. 6 nonies, III. of bodies and authorities that make up the intelligence 246 Greece, Standing Orders of the Hellenic Parliament community. COPASIR also has the power to order the (Κανονισμός της Βουλής), 22/24 June 1987, as amended, President of the Council of Ministers to conduct inter- Art. 43A (2) (a). 247 Italy, Law No. 124/2007 on the Information System for the nal investigations in the presence of seeming illegality. security of the Republic and new rules on State secrets, Art. 31 (1). 248 Croatia, Act on the Security Intelligence System of the Republic of Croatia, Art. 105 (1). 240 Lithuania, Law of the Republic of Lithuania on Intelligence, 249 Slovenia, Parliamentary Supervision of the Intelligence and Art. 21. Security Services Act (Zakon o parlamentarnem nadzoru 241 Council of Europe Commissioner for Human Rights (2015), obveščevalnih in varnostnih služb), 26 February 2003, p. 13. Art. 24. 242 Denmark, Bill No. 162 of 27 February 2013 on the Act 250 Croatia, Act on the Security Intelligence System of the amending the Act on the establishment of a Parliamentary Republic of Croatia, Art. 104 (4). Committee regarding FE and PET (Lovforslag nr. 162 af 27, 251 Germany, Federal Budget Order (Bundeshaushaltsordnung), februar 2013 om lov om ændring af lov om etablering af et 19 August 1969, as amended, Section 10 (a); and Germany, udvalg of Forsvarets og Politiets Efterretningstjenester), Parliamentary Control Panel Act (Kontrollgremiumgesetz), 27 February 2013, Section 2. 29 July 2009, Section 9. See also de With, H. and Kathmann, 243 Estonia, Security Authorities Act, Section 36. E., Policy Department C: Citizens’ Rights and Constitutional 244 Italy, Law No. 124/2007 on the Information System for the Affairs (2011), p. 225. security of the Republic and new rules on State secrets, 252 Germany, G 10 Act, Sections 5 and 8. See also Germany, Arts. 31–34. Parliamentary Control Panel Act.

37 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

lature to the parliament.253 A whistleblower mechanism of the security and intelligence services. However, it provides for the possibility of being approached directly may not consider particular operational matters that by intelligence service staff. However, the fact that its involve ongoing intelligence or security operations, access to files and information may be limited by the unless tasked to do so by the prime minister, or unless “direct executive responsibility” of the Federal govern- the information is provided voluntarily to the committee ment means that it has restricted powers. by the security or intelligence services, or another government department. In practice, however, as evidenced Sweden, in contrast, does not have a specialised parlia- by Leigh, the ISC looks at operational material on its own mentary committee to oversee its intelligence services. initiative.257 Nevertheless, since the ISC does not have The work of the intelligence services does, however, fall formal investigative capacities and cannot corroborate within the remit of two standing committees within the the evidence it receives from the services, it must oper- parliament: the Committee on Justice and the Committee ate upon trust.258 The ISC may also examine or oversee on Defence. The Committee on the Constitution is also any other activities of the government in intelligence significant as it is responsible for the areas of funda- and security matters that are set out in a memorandum mental rights, data protection and privacy.254 One of the of understanding. Though it may request the chiefs of main problems in the realm of parliamentary oversight any of the three main intelligence and security services is that parliamentarians might not dedicate enough time to disclose certain information, this may be vetoed by to SIGINT-related matters due to their busy schedules.255 the secretary of state.259 Its reports, whether annual or This is exacerbated if this supervision is only a small ad hoc, must be sent to the prime minister, who may part of the agenda of a committee with a broader man- redact them before they are sent to parliament.260 The date. Non-specialised committees, moreover, will find services may also request the redaction of certain infor- it more difficult to develop expertise in the area, since mation from the committee’s reports, but these must intelligence-related matters have a steep learning curve. be justified, and the committee has the final say.261 The ISC may only report to the prime minister on national The French parliamentary oversight body – the parliamen- security-sensitive matters.262 Following the Snowden tary intelligence delegation (délégation parlementaire revelations, the ISC carried out an 18-month-long inquiry au renseignement, DPR) – has had its powers widened and published its findings in March 2015, providing an relatively recently (created in 2007, strengthened in overview of the legislation that governs the services December 2013), though it still faces certain restrictions. and their intrusive capacities.263 The findings conclude It examines and assesses governmental policy in the area that while their capabilities are necessary, the complex, of intelligence. It does not oversee the services directly, disperse legislation in place should be replaced by a new, and may conduct hearings and request reports, and can comprehensive, detailed act of parliament that covers make recommendations to the president of the republic the services’ intrusive powers, safeguards and over- and the prime minister. It also oversees the expenses of sight, as well as the intelligence sharing regime. the intelligence services through the Audit Commission on special funds (Commission de verification des fonds The Dutch parliamentary committee is composed of 11 spéciaux), which is composed of four members of the members. It exercises parliamentary oversight over the DPR. It does not, however, have access to information on government intelligence policy and looks in particular ongoing operations carried out by the services, regarding at the efficiency, effectiveness, lawfulness and budget governmental instructions given to them, or surveillance of the intelligence service.264 methods or exchanges with foreign services.256 Remarkably, the majority of parliamentary com- In the United Kingdom, the Intelligence and Security mittees do not have access to classified information Committee (ISC) is in charge of examining or overseeing received from foreign secret services. This is explicitly the expenditure, administration, policy and operations

253 See Germany, Federal Parliament (Deutscher Bundestag) (2013), the latest report covering 257 Leigh, I. (2013), p. 436. November 2011 to October 2013. See also 258 Ibid., p. 441. de With, H. and Kathmann, E., Policy Department C: Citizens’ 259 United Kingdom, Justice and Security Act 2013, Rights and Constitutional Affairs (2011), p. 218; Heumann, S. Section 4 (2) (b) of Schedule One. and Wetzling, T., Stiftung neue Verantwortung (2014). 260 Ibid., Sections 2 (3) and 2 (4) of Part 1. 254 Sweden, Parliament, The 15 parliamentary 261 United Kingdom, Intelligence and Security Committee of committees, www.riksdagen.se/en/Committees/ Parliament (ISC) (2015), p. iv (foreword). The-15-parliamentary-committees/. 262 United Kingdom, House of Commons Library (2013), p. 3. 255 Venice Commission (2015), p. 30. 263 United Kingdom, Intelligence and Security Committee of 256 France, Ordinance No. 58-1100 on the functioning of Parliament (ISC) (2015). the parliamentary assemblies, Art. 6 nonies, I 4°. See 264 The Netherlands, House of Representatives (Tweede also France, Urvoas, J.-J., Parliamentary Delegation on Kamer der Staten Generaal)(2014), ‘Commissie voor de Intelligence (2014), p. 13 and following and Urvoas, Inlichtingen- en Veiligheidsdiensten’, www.tweedekamer. J.–J (2015), p. 41 and following. nl/kamerleden/commissies/IV/index.jsp.

38 Oversight of intelligence services

stated in the cases of Spain,265 France266 and the United in the Netherlands,274 where the chairperson of each Kingdom,267 among others. This stems from the fact parliamentary group is a member. This is also true for that, as In’t Veld and Ernst stated, “The growing coop- the presidents of the political groups in Luxembourg.275 eration between national intelligence agencies has not been adequately matched by international collabora- In Croatia, the members of the Committee for Inter- tion between national oversight bodies”.268 Therefore, nal Affairs and National Security of the Croatian par- in practice there is for the most part no oversight of liament are chosen according to the general rules for intelligence sharing. the selection of members of parliamentary committees from members of parliament with an interest in national “[Member states of the Council of Europe must] ensure that security matters. access to information by oversight bodies is not restricted by or subject to the third party rule or the principle of originator To reinforce the legitimacy of parliamentary commit- control. This is essential for ensuring that democratic tees, Born and Leigh recommend that the commit- oversight is not subject to an effective veto by foreign tees “be chaired by a member of the opposition, or bodies that have shared information with security services. that chairmanship rotate between the opposition and Access to information by oversight bodies should extend to the government party”.276 This is the case in various all relevant information held by security services including 277 278 information provided by foreign bodies”. Member States, including Croatia, Hungary, Ger- many279 and Italy.280 Council of Europe Commissioner for Human Rights (2015), p. 13 In France, the chairpersons of the standing commit- 2.2.2. Composition tees of the National Assembly and Senate respectively charged with internal security affairs and defence are The appointing authority of a parliamentary commit- de facto members of the Parliamentary Delegation on tee should be parliament itself. This is the case in the Intelligence, and alternately hold the position of chair vast majority of countries, allowing them to enjoy more for one year.281 In Spain, its members are the president legitimacy. However, in some Member States, such as of congress and the congressmen who have access to the United Kingdom, the prime minister nominates official secrets,282 which eradicates the need to again the members of the parliamentary committee (after vet the committee’s members when they join the par- consulting the leader of the opposition), who are later liamentary committee. elected by parliament.269

Many Member States include mandatory proportional UN good practices on oversight institutions representation rules on membership. This is the case Practice 8. Oversight institutions take all necessary meas- in Estonia, Greece, Finland, Hungary and Italy.270 In ures to protect classified information and personal data to Austria,271 Belgium272 and Denmark,273 each political which they have access during the course of their work. party or political group represented in parliament has Penalties [should be] provided for the breach of these re- at least one member on the committee, as is the case quirements by members of oversight institutions. UN, Human Rights Council, Scheinin, M. (2010)

265 Spain, National Intelligence Centre Act, Art. 11 (2). 274 The Netherlands, House of Representatives (Tweede 266 France, Ordinance No. 58-1100 on the functioning of the Kamer der Staten Generaal) (2014), Commissie voor de parliamentary assemblies, Art. 6. Inlichtingen- en Veiligheidsdiensten, Web page, www. 267 United Kingdom, Justice and Security Act 2013, Section 5(c) tweedekamer.nl/kamerleden/commissies/IV/index.jsp. of Schedule 1. 275 Luxembourg, Act of 15 June 2004 on the organisation of the 268 European Parliament, Committee on Civil Liberties, Justice State Intelligence Service, Art. 14. and Home Affairs (2013b). 276 Born, H. and Leigh, I. (2005), p. 85. 269 United Kingdom, Justice and Security Act 2013, Sections 1 (3) 277 Croatia, Act on the Security Intelligence System of the and 1 (5). Republic of Croatia, Art. 105 (4). 270 Wills, A. et al., Policy Department C: Citizens’ Rights and 278 Hungary, Act CXXV of 1995 on the National Security Constitutional Affairs (2011). Services, Section 14 (1). 271 Austria, Rule of Procedure Act 1975, Section 32 (b). See 279 Germany, Federal Parliament (Deutscher Bundestag), also Austria, Parliament (Parlament), Permanent sub https://www.bundestag.de/bundestag/gremien18/pkgr committees to control intelligence services, http://www. 280 Wills, A. et al., Policy Department C: Citizens’ Rights and parlament.gv.at/ENGL/PERK/KONTR/POL/6STAEND_ Constitutional Affairs (2011), p. 140. UNTERAUSSCHUESSE/index.shtml 281 France, Ordinance No. 58-1100 on the functioning of the 272 Belgium, Rules of Procedure of the Chamber of parliamentary assemblies, Art. 6 nonies. Representatives (Règlement de la Chambre des 282 Spain, Act 11/1995 regulating the use and control of représentants), 2 October 2003, as amended, Art. 149. secret funds (Ley 11/1995, de 11 de mayo, reguladora de 273 Wills, A. et al. Policy Department C: Citizens’ Rights and la utilización y control de los créditos destinados a gastos Constitutional Affairs (2011). reservados), 11 May 1995, Art. 7 (1).

39 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

UN good practice 8 calls for mechanisms that ensure ligence services, who may not allege investigational, preservation of secrecy. Vetting, that is to say, assess- professional or state secrets in return. However, this ing parliamentarians’ backgrounds to identify any risks power is limited when the disclosure of the informa- involved in providing the MPs with security clearance, is tion or the transmission of a copy of a document can one way of ensuring the protection of classified infor- affect the safety of the republic, relations with foreign mation. It is required in the parliamentary oversight countries, the performance of ongoing operations or the committees of Estonia, Hungary, Latvia, Lithuania, safety of sources of information, employees or mem- and Poland.283 bers of the services’ information security. Nevertheless, if the committee insists, its request will be evaluated The MPs of most Member States are however not sub- by the President of the Council of Ministers. If the com- ject to such procedures, and do not require security mittee does not agree with the President of the Council clearance. This is because in many Member States, such of Ministers' decision, or receives no response within control would be regarded as a violation of the separa- 30 days, COPASIR may forward the issue to each of the tion of powers. In Slovenia, for instance, the Classified houses for their assessment.286 Information Act states that parliamentarians who sit on the Commission of the National Assembly for the In Germany, the Parliamentary Control Panel has the Supervision of Intelligence and Security Services do not right to request information, documents and other require authorisation to access classified information in data files from the federal government and the three the exercise of their functions.284 intelligence services. However, the obligation of the government and the intelligence services to provide 2.2.3. Access to information information covers only documents the government and documents has produced, and not, for example, those of foreign services or documents that would affect the personal 287 “[A]ll bodies responsible for overseeing security services rights of third parties. Though the Control Panel’s [should] have access to all information, regardless of its members are sworn to secrecy, they can comment pub- level of classification, which they deem to be relevant to licly on certain issues, as long as the decision to do so the fulfilment of their mandates. Access to information by is reached by two-thirds of its members.288 It may also oversight bodies should be enshrined in law and supported request expert witnesses to submit evaluations, which by recourse to investigative powers and tools which ensure are forwarded to parliament as reports.289 such access. Any attempts to restrict oversight bodies’ access to classified information should be prohibited and In Austria, the Standing Sub-Committee of the Com- subject to sanction where appropriate.” mittee on Internal Affairs (Ständiger Unterausschuss Council of Europe Commissioner for Human Rights (2015), p. 13 des Ausschusses für innere Angelegenheiten) controls the work of the Federal Agency for State Protection Access to information and documents by oversight and Counter Terrorism (BVT). It is entitled to ask the bodies is essential for adequate oversight. While infor- relevant minister for information. However, these are mation gathered by intelligence services is sensitive and not obliged to provide the information if they are not safeguards are required to guarantee that it will be dealt in a position to do so, or if it might jeopardise national with accordingly, oversight bodies cannot carry out their interests or the safety of persons.290 Likewise, the tasks without access to the information necessary to United Kingdom’s Intelligence and Security Committee make an informed decision and carry out apt supervi- may also obtain information from agencies and govern- sion. The opposite, however, seems to be the norm. ment departments, except where the secretary of state blocks disclosure of “sensitive information”.291 As shown by the table on Security clearance for members and staff of specialised oversight committees in Luxembourg’s Parliamentary Control Committee is also Wills, Vermeulen et al.’s report for the European Parlia- authorised to access any information and documents ment, members of parliamentary committees tend to it considers relevant to the performance of its duties, have access to classified information.285 However, the with the exception of information or documents that law always qualifies the right of access, and no parlia- could reveal the identity of a source or that would impair mentary committee has unrestricted access. In Italy, for instance, COPASIR may request information from the judiciary, private and public bodies, and the intel- 286 Italy, Law No. 124/2007 on the Information System for the security of the Republic and new rules on state secrets, Art. 31 (8 to 10). 283 Wills, A. et al., Policy Department C: Citizens’ Rights and 287 Germany, Parliamentary Control Panel Act, Section 6. Constitutional Affairs (2011), p. 138 f. 288 Ibid., Section 10 (2). 284 Slovenia, Classified Information Act (Zakon o tajnih 289 Ibid., Section 7. See also Dietrich, J.-H. (2015), p. 14. podatkih), 25 October 2001, Art. 4. 290 Austria, Rule of Procedure Act 1975, Section 32 (c) (2). 285 Wills, A. et al., Policy Department C: Citizens’ Rights and 291 United Kingdom, Justice and Security Act 2013, Section 4 (4) Constitutional Affairs (2011), p. 142. of Schedule 1.

40 Oversight of intelligence services

the rights of third parties.292 It can also request assis- ument is kept confidential. In Denmark, on the other tance from external experts when it requires special hand, there is no obligation for the Parliamentary Con- knowledge.293 This ensures that technical information trol Committee to report annually to parliament. In is not overlooked by, in this case, parliamentarians who fact, it has only submitted eight reports on its activi- may not have the proper training or expertise. This is ties since 1988. in line with the CoE Commissioner for Human Right’s recommendation that “oversight bodies should have The Intelligence and Security Committee of the recourse to specialists in information and communica- United Kingdom reports to parliament annually and tions technology who can enable overseers to better may also produce thematic ad hoc reports. The prime comprehend and evaluate surveillance systems and minister has the power to exclude beforehand matters thus to better understand the human rights implica- considered “prejudicial to the continued discharge of tions of these activities”.294 functions” of the agencies.300 The French Parliamentary Delegation on Intelligence publishes the annual report Therefore, when it comes to the extent of committees’ it makes to parliament. In 2014, the annual report was power to initiate their own investigations, the laws of longer and more detailed than in the past. It covered most countries grant parliamentary committees the topics such as the hearings the committee carried out authority to request information from the intelligence that year, economic surveillance, and recommendations services or the executive, but not to demand it. on how to improve the legal framework and supervision of intelligence services to increase citizens’ confidence, 2.2.4. Reporting to parliament to name a few.301

Though most parliamentary committees submit reports The Venice Commission recommends that parliamen- at least annually, some reports are made public and tary committees in charge of overseeing intelligence others kept secret. As stated by Born, “Democratic services have the power to issue more than an annual oversight can only be effective, as a principle of good report, to make sure that their reporting remains rel- governance, if the public is aware of major issues open evant and can draw attention to activities that demand to debate at parliamentary level”; 295 therefore, public urgent responses.302 It is evident from the above exam- reporting to parliament furthers transparency and ples that Member State practices are inadequate in public awareness. To achieve greater transparency and this respect. engagement with the public, the CoE Commissioner for Human Rights recommends that publishing public ver- sions of periodic and investigation reports be required 2.3. Expert oversight by law.296 2.3.1. Specialised expert bodies In Austria for example, the reports are kept secret, since the work of the sub-committees is confidential.297 Simi- Expert oversight is exceptionally valuable as it allows larly in Luxembourg, although the Parliamentary Control for the actions of the intelligence services to be scru- Commission submits annual reports to parliament, its tinised by those familiar with the subject, who have checks on the intelligence service are confidential and time to dedicate to the matter, and are independent the results are only submitted on a confidential basis of political allegiances. As stated by the CoE Commis- to the prime minister, the head of the intelligence ser- sioner for Human Rights, they “are often best placed to vice and deputy members of the parliamentary com- conduct detailed day-to-day oversight of the legality mittee.298 In Germany, short activity reports presented of security service activity”.303 For their potential to be before parliament are made public.299 Every other doc- maximised, however, they must be granted adequate independence, resources and powers.304 The following 292 Luxembourg, Act of 15 June 2004 on the organisation of the table lists the various expert oversight bodies estab- State Intelligence Service, Art. 15 (3). lished in the Member States. To provide an overview of 293 Born, H. and Leigh, I. (2005), p. 93. 294 Council of Europe Commissioner for Human Rights (2015), how these work across the EU-28, a sample has been p. 14. explained in the text. 295 Born, H. et al. (eds.), Geneva Centre for the Democratic Control of Armed Forces (DCAF) (2003), p. 41. 296 Council of Europe Commissioner for Human Rights (2015), p. 14. 300 United Kingdom, Justice and Security Act 2013, Section 3 (4) 297 Austria, Rule of Procedure Act 1975, Section 32a (2). of Part 1. 298 Luxembourg, Act of 15 June 2004 on the organisation of the 301 France, Urvoas, J.-J., Parliamentary Delegation on State Intelligence Service, Art. 15 (5) and 15 (8). Intelligence (2014). 299 For the activities of the Parliamentary Control Panel, see 302 Venice Commission (2007), p. 37. German Federal Parliament (2013). Regarding the activities 303 Council of Europe Commissioner for Human of the G 10 Commission, see the report presented by the Rights (2015), p. 8. Parliamentary Control Panel to Parliament: Germany, 304 See Dewost, J.-L., Pelletier, H. and Delarue, J.-M. (2015), Federal Parliament (Deutscher Bundestag) (2015). pp. 14 and following.

41 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

Table 2: Expert bodies in charge of overseeing surveillance, EU-28

EU Member Expert bodies State AT Legal Protection Commissioner (Rechtsschutzbeauftragter) Standing Intelligence Agencies Review Committee (Vast Comité van Toezicht op de inlichtingen - en veiligheidsdiensten / Comité permanent de Contrôle BE des services de renseignement et de sécurité) Administrative Commission (Bestuurlijke Commissie/Commission Administrative) National Bureau for Control over Special Intelligence Means (Национално BG бюро за контрол на специалните разузнавателни средства) CY N.A. CZ N.A. DE G 10 Commission (G 10-Kommission) DK Oversight Committee of the Intelligence Services (Tilsynet med Efterretningstjenesterne) EE N.A. Hellenic Authority for Communication Security and Privacy EL (Αρχή Διασφάλισης του Απορρήτου των Επικοινωνιών) ES N.A. FI N.A. National Commission for Control of Intelligence Techniques FR (Commission nationale de contrôle des techniques de renseignement) Office of the Council for National Security (Ured Vijeća za nacionalnu sigurnost) HR Council for Civic Oversight of Security and Intelligence Services (Vijeće za građanski nadzor sigurnosno-obavještajnih agencija) HU N.A. Complaints Referee IE Designated Judge of the High Court IT N.A. LT N.A. Supervisory committee (autorité de contrôle) of Act of 2 August 2002 LU Commission (commission) of the Criminal Investigation Code (Code d’Instruction Criminelle) LV N.A. MT Commissioner of the Security Service (Kummissarju tas-Servizz ta’ Sigurtà) Review Committee on the Intelligence and Security Services (Commissie van NL Toezicht op de Inlichtingen- en Veiligheidsdiensten) PL N.A. Council for the Oversight of the Intelligence System of the Portuguese Republic PT (Conselho de Fiscalização do Sistema de Informações da República Portuguesa) RO N.A. State Defence Intelligence Commission (Statens inspektion för försvarsunderrättelseverksamheten) SE Commission on Security and Integrity Protection (Säkerhets- och integritetsskyddsnämnden) Foreign Intelligence Court (Försvarsunderrättelsedomstolen) SI N.A. SK N.A. Intelligence Services Commissioner UK Interception of Communications Commissioner Investigatory Powers Tribunal

Source: FRA, 2015

42 Oversight of intelligence services

Across the EU, 15 Member States have set up expert request of a citizen or a civil servant who lodges a com- bodies exclusively dedicated to intelligence service plaint or files a denunciation. In a judicial capacity, the oversight. Some of their competences include author- Standing Committee I is also responsible for the ex ising surveillance measures, investigating complaints, post control of ‘specific and exceptional data collection requesting documents and information from the intel- methods’ used by the intelligence and security services. ligence services, or giving advice to the executive and/ The term ‘specific and exceptional data collection meth- or parliament. ods’ is relatively broad, covering all forms of collection of communications data relevant to this report, since “In contrast to parliamentary oversight committees, expert they interfere with individual privacy.309 Moreover, the bodies conduct their work on a (near) full-time basis. This Standing Committee I may, on request, advise on bills generally means that they can provide more comprehensive and regulatory acts or any other document expressing and in-depth scrutiny than their parliamentary counterparts”. the political orientations of the competent ministers Council of Europe Commissioner for Human Rights (2015), p. 47 regarding the functioning of the intelligence services or the Coordination Unit for Threat Assessment. Providing for parliamentary involvement in the establishment of the expert body and/or the election of its Belgium has a second expert body referred to as the members grants the expert body more legitimacy and Administrative Commission. It is made up of three acting helps establish a good rapport between the two.305 members and three substitute members, one of whom This occurs in Bulgaria, where the National Assembly is a state prosecutor, while the other two are judges. appoints the five members of the National Bureau for The commission is responsible for monitoring specific Control over Special Intelligence Means. The bureau has and exceptional data collection methods used by the the power to issue binding decisions to the intelligence intelligence and security services. It controls the legal- services on the access, collection, storage and destruc- ity, subsidiarity and proportionality of these data col- tion of special intelligence means. It may also access lection methods. Furthermore, the implementation all relevant information required to carry out its work. of an exceptional method requires the commission’s 306 In Croatia, the specialised parliamentary committee approval.310 for Internal Affairs and National Security appoints the members of the Council for Civic Oversight of Security By contrast, the executive appoints the members of and Intelligence Agencies, and its seven members are some expert bodies. This is the case, for instance, in chosen from among those who answer a public call on Austria, Denmark (except the president of the expert the basis of expertise. They are granted full security body, who must be a High Court judge, and is nominated clearance once selected. The law states that some of by the president of the High Court and the High Court),311 its members must be law, political science or electrical Sweden and the United Kingdom. The Austrian Legal engineering graduates.307 Protection Commissioner (Rechtsschutzbeauftragter, RSB) and his/her two deputies are appointed by the The Belgian Standing Intelligence Agencies Review Federal president upon the proposal of the government, Committee (Standing Committee I) is an example of after consulting the president of parliament, and the an expert body with broad oversight powers.308 Its three presidents of the constitutional court and the adminis- members are nominated by parliament. One member trative court. The RSB and his/her two substitutes are acts as president of the committee and must be a mag- appointed to the Federal Ministry of the Interior for istrate. The other two are counsellors and must hold a five-year term and may be re-appointed. They are law degrees. The committee members are supported independent in the exercise of their functions and are by a five-staff investigation service headed by a mag- not bound by instructions. RSBs are required to have istrate, a member of an intelligence service, a member experience in and knowledge of human rights, and at of a police service, or a public servant nominated by the least five years’ experience in a legal profession.312 The committee; it also has 16 administrative staff. Among police authorities provide the RSB with full access to the Standing Committee’s key assignments (eight in documents and recordings necessary for performing total) it may initiate investigations on its own initia- his/her tasks. The RSB plays an important role in over- tive, on the request of the Chamber of Representa- seeing the implementation of data protection safe- tives or the competent minister or authority, or on the 309 Belgium, Standing Committee I (2012), p. 55 and following. 305 Venice Commission (2007), p. 50. 310 Belgium, Law on the Intelligence and Security Services (Loi 306 Bulgaria, Special Intelligence Means Act (Закон organique des services de renseignement et de sécurité), за специалните разузнавателни средства), 18 December 1998, Art. 43/1. For a description of the 21 October 1997, Art. 34 (b). law; see Belgium, Standing Committee I (2011), Rapport 307 Croatia, Act on the Security Intelligence System of the d’activités 2010, pp. 49–61. Republic of Croatia, Art. 110. 311 Denmark, Act No. 604 on the Danish Security and 308 Belgium, Organic Law on the control of police and Intelligence Service as amended by Act. No. 1624, intelligence services and the Coordination Unit for Threat Sections 16 and 16 (2). Assessment, Arts. 28, 32, 33, 34 and 35. 312 Austria, Police Powers Act, Section 91 (a).

43 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

guards, contributes to remedial actions, and reports services. To bridge this gap, oversight bodies should, to annually to the Minister of Interior; this report has the greatest extent possible, be composed of individu- to be made available to the parliamentary oversight als with diverse backgrounds, and, as recommended by sub-committee.313 the CoE Commissioner for Human Rights, be able to rely on information and communication technology special- The Hellenic Authority for Communication Security ists to provide them with a better understanding of sur- and Privacy (ADAE) in Greece is an example of a well- veillance systems and their human rights implications.319 staffed expert body. Its seven members, required to In France, for example, one member of the CNCTR has have the appropriate legal and technical expertise, are skills in electronic communications and is nominated by supported by a staff of 38 with competencies in the sci- the Electronic Communications and Posts Regulatory ences to law. ADAE is fully independent and its mem- Authority (Autorité de régulation des communications bers are appointed by the Conference of Parliamentary électroniques et des postes, ARCEP).320 Chairmen.314 It can carry out inspections, audits, and access the intelligence services’ databases and docu- All five Member States with detailed signals intelligence ments. However, it has so far exclusively focused its laws have established one or more expert bodies to oversight on telecommunications providers.315 ADAE oversee this capacity of the intelligence services (or also issues statistical data regarding interception car- part thereof, as with ‘open sky’ in Germany). However, ried out by the services, receives complaints and carries their mandates are not always comparable. out hearings. However, when reviewing interceptions, it must limit its review of their legality. It may not assess In Germany, expert oversight is carried out by the judicial holdings and its findings are not binding.316 G 10 Commission, which has four members and four substitutes. The chairperson must be qualified for judicial One of the main issues regarding expert oversight is the office,321 and its members are elected by the Parliamen- lack of clarity about what constitutes the required exper- tary Control Panel. Being a member of parliament is not tise. In Portugal, for instance, the three candidates of the mandatory.322 At present, two substitute members are Council for the Oversight of the Intelligence System of current MPs, and the other members are past MPs.323 Its the Portuguese Republic must be citizens of “recognised main task is to authorise surveillance measures of the integrity and in full capability of their civil and political intelligence services; to do so, it must meet at least once rights”.317 Though their selection follows procedure, it is a month. The G 10 Commission draws up its own pro- not clear from the onset what is necessary to fulfil the cedures, which must be approved by the Parliamentary expert requirements. In most countries, it is common Control Panel after consultation with the government.324 practice for the members of expert bodies to be judges It is supported by the same six-person secretariat that (active or retired). More is necessary to guarantee ade- works for the Parliamentary Control Panel. quate oversight; for example, specialisation has been put forward as an option.318 Only Ireland has established The Dutch three-member Review Committee on the the position of a specialised judge, who is in charge of Intelligence and Security Services (CTIVD) is an independ- adjudicating matters of communications interception. ent body, assisted in its work by seven staff members.325 Through in-depth investigations and its “complaints Oversight must cover both legal aspects of surveillance advisory”326 role, the committee ensures that the intel- and its actual technical implementation, meaning a cor- ligence services perform their duties lawfully. To do so, rect understanding of the technical aspect is essen- it has unlimited and independent access to AIVD data. tial. Judges are legal, not technology, specialists, and, Interestingly, to tackle the issue of expertise, the CTIVD as noted by the Venice Commission, do not necessar- established a “knowledge network” composed of scien- ily have the expertise required to oversee intelligence tific experts advising the Review Committee on a regular basis on specific reports relating to technological, 313 Ibid., Section 91 (d). A case challenging the RSB’s powers is legislative and social developments.327 Indeed, with pending before the ECtHR, see ECtHR, Tretter and Others v. Austria, No. 3599/10, communicated on 6 May 2013. 314 Greece, Law 3115/2003 on the Hellenic Authority for 319 Council of Europe Commissioner for Human Rights (2015), Communication Security and Privacy (Eλληνική Αρχή p. 14. Διασφάλισης του Απορρήτου των Επικοινωνιών), 320 France, Interior Security Code, Art. L. 831–1 (4). 27 February 2003, Art. 2 (2); Greece, Hellenic Constitution, 321 European Network of National Intelligence (Σύνταγμα), 11 June 1975, as amended, Art. 101A; and Reviewers (ENNIR), Intelligence review in Germany, Greece, Standing Orders of the Hellenic Parliament, 12 June 2012. Arts. 13 and 14. 322 Germany, G 10 Act, Section 15. 315 Greece, Authority for Communication Security and Privacy, 323 Germany, Federal Parliament (Deutscher Bundestag), Annual reports for the years 2004–2014. Composition of the G 10 Commission. 316 Greece, Law 3115/2003 on the Hellenic Authority for 324 ECtHR, Klass and Others v. Germany, No. 5029/71, Communication Security and Privacy, Art. 6. 6 September 1978, para. 21. 317 Portugal, Framework Law 30/84 on the Intelligence System 325 See The Netherlands, CTIVD (2015), p. 39. of the Portuguese Republic, Art. 7 (2). 326 The Netherlands, CTIVD (2014), p. 7. 318 Venice Commission (2007), p. 46. 327 See The Netherlands, CTIVD (2015), p. 10.

44 Oversight of intelligence services

the increased sophistication of surveillance techniques, judicial office. They are appointed by the prime minis- which often are automatised, the CTIVD recognised the ter and must report to him/her annually and bi-annually, need for ICT expertise, and invested additional financial respectively. The prime minister has the power to exclude resources in technology for carrying oversight.328 from the commissioners’ annual reports information that would contravene the public interest or be prejudicial to Following the Snowden revelations, the Dutch parlia- matters such as national security.337 Specifically, the prime ment asked the oversight body to conduct an in-depth minister sends these commissioner reports to parliament, investigation of how intelligence services acquire, use together with a statement as to whether any matter has and exchange data with foreign services. The CTIVD been excluded therefrom.338 No material was excluded concluded that the intelligence services’ systematic from the Interception of Communications Commissioner acquisitions of personal data were done lawfully, but Annual Report for 2014339 or from the Intelligence Services still deemed current privacy safeguards inadequate, Commissioner Annual Report for 2014.340 and suggested enhancing them.329 CTIVD also stated that “the potential of AIVD […] to infringe privacy in the Both commissioners may obtain documents and infor- digital domain goes further than was foreseen when mation from officials and oversee that the warranting the ISS [Intelligence and Security Services] Act 2002 was carried out by the Secretaries of State is done lawfully. drafted and enacted”, and found some procedures that They must also ensure that the safeguards relating to govern the intelligence services unlawful, calling for how the intercepted material is used are respected. stricter oversight of the services’ digital activities.330 However, while the Interception of Communications Based on past review reports, CTIVD concluded that Commissioner has a chief inspector, nine inspectors and “the services have not yet been able to establish a pro- two office staff, the Intelligence Services Commissioner cedure that ensures their consistent compliance with works part-time and has a part-time secretary. The effi- the statutory safeguards when selecting from untar- cacy of the commissioners’ roles has also been called geted interception (SIGINT).”331 into question in light of their level of independence and resources. The Interception of Communications Commis- An ad-hoc committee in the Netherlands that presented sioner, for instance, examined only 34 % of interception an assessment of the Intelligence and Security Services warrants issued in 2014, an increase of 14 % from the Act to parliament suggested granting the intelligence preceding year.341 Furthermore, some of the intelligence services more extensive powers to intercept cable- services’ powers are not subject to oversight by either bound communication in an untargeted manner. It bal- commissioner. For example, the Intelligence and Secu- anced this call for more power by also recommending rity Committee discovered that GCHQ could access “bulk that the CTIVD be granted stronger oversight by making personal datasets” – large databases of information that its decisions binding.332 However, while the new draft are overtly and covertly obtained from private and bulk law indeed grants the services more powers, the com- entities and used for intelligence purposes – and that mittee’s opinions remain non-binding.333 this was not subject to oversight by any expert body. The prime minister therefore signed a direction putting In the United Kingdom, the Investigatory Powers Tribunal the use of bulk personal datasets under the competence is charged with receiving complaints about surveillance.334 of the Intelligence Services Commissioner.342 Though the Two Commissioners oversee the use of the powers estab- role of the Interception of Communications Commis- lished in the Regulation of Investigatory Powers Act: the sioner was found to be a “model” of review bodies by Intelligence Services Commissioner335 and the Interception the Independent Reviewer of Terrorism Legislation,343 of Communications Commissioner.336 To be eligible for the the reviewer nevertheless recommended that they be position, the commissioners must hold or have held high replaced by an Independent Surveillance and Intelli- gence Commission (ISIC).344 328 See Ibid., pp. 10 and 39. 329 The Netherlands, CTIVD (2014), p. 37 and following. See also The Netherlands, CTIVD (2015), p. 28. 330 The Netherlands, CTIVD (2014), p. 5. 331 Ibid., p. 28. 332 The Netherlands, ISS Act 2002 Evaluation Committee (Commissie evaluatie Wiv 2002) (2013), Evaluatie Wet op 337 Ibid., Sections 58(7) and 60(5). de inlichtingen- en veiligheidsdiensten 2002, pp. 78–80, 338 Ibid., Sections 58(6) and 60(4). 83, 87, 89 and 102. See also The Netherlands, CTIVD (2015), 339 United Kingdom, Interception of Communications pp. 27–29. Commissioner (IOCCO) (2015). 333 The Netherlands, Draft law on the Intelligence and Security 340 United Kingdom, Intelligence Services Commissioner (2015). Services 20XX. 341 United Kingdom, IOCCO (2015), p. 30. 334 United Kingdom, Regulation of Investigatory Powers Act 342 United Kingdom, Intelligence Services Commissioner 2000, Sections 65–70. (Additional Review Functions) (Bulk Personal Datasets) 335 Ibid., Sections 59 and 60; United Kingdom, Justice and Direction 2015, http://www.intelligencecommissioner.com/ Security Act 2013, Section 5 of Part 1. docs/PM_Direction_12_March_15.pdf 336 United Kingdom, Regulation of Investigatory Powers Act 343 Anderson, D., p. 123. 2000, Sections 57 and 58. 344 Ibid., p. 280.

45 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

Sweden has three expert bodies.345 The State Defence in electronic communications.350 They are nominated Intelligence Commission (Statens inspektion för förs- for six years, apart from the members of parliament, varsunderrättelseverksamheten, SIUN) is tasked with whose mandate is linked to their seat in parliament. ensuring that the state’s defence intelligence is carried The CNCTR is provided with the human, technical and out lawfully.346 SIUN monitors the conduct of the intel- budgetary means needed to accomplish its missions. ligence service and must be informed about the search A secretary general and staff members assist its work. terms the services apply. It exerts control over the sig- Commission members and staff member have access to nals that telecommunications carriers must provide to secret documents. The CNCTR’s work is secret. interaction points. SIUN is also in charge of reviewing the processing of personal data by the intelligence ser- The CNCTR ensures that surveillance measures are vice, and ensuring that data collection complies with carried out lawfully in France. It particularly assesses the permits issued by the Foreign Intelligence Court. It whether prescribed procedures are followed, and has the power to stop on-going signals intelligence and whether these respect the right to privacy and the prin- subsequently order its destruction. SIUN may appoint ciple of proportionality.351 Should the CNCTR consider an expert to assist the committee. The government a surveillance measure to be carried out unlawfully, appoints its seven members, and its chair and vice chair it can recommend to the prime minister, the relevant must be or have been judges. The remaining members minister and the intelligence service that the surveil- are nominated by parliamentary party groups. The com- lance be interrupted and the collected data destroyed. mission is supported by a secretariat.347 It currently has The prime minister must immediately inform the CNCTR six members. The four members nominated by the party about how the recommendation was followed up. If groups are all former members of the national parlia- the recommendation is not followed appropriately, the ment. The second expert body, the Foreign Intelligence CNCTR can bring the case before the Council of State. Court (Försvarsunderrättelsedomstolen, FUD), will be Interestingly, the commission can consult and answer covered in Section 2.4, since it is in charge of authorising the questions of the Electronic Communications and the gathering of signals intelligence. The third expert Posts Regulatory Authority.352 The law does not mention body, the Commission on Security and Integrity Protec- any links to the French data protection authority (CNIL). tion (Säkerhets- och integritetsskyddsnämnden, SIN), is in charge of providing individuals with information While expert bodies undoubtedly have recognised regarding whether they have been subject to secret expertise in the area of intelligence, data protection surveillance. This commission may access information authorities (DPAs) are specialised bodies that have been held by any administrative authority. Its chair and vice tasked with safeguarding privacy and data protection chair must be judges or have a similar level of legal in EU Member States. In countries where both exist and experience. Other members (a maximum of eight) are DPAs are competent to oversee intelligence services, nominated by the party groups in parliament.348 SIN is their interaction is sometimes organised by law, and not involved in matters linked to signals intelligence. sometimes takes place in practice without legal requirements. The next section addresses the roles of DPAs. In France, the law on intelligence set up the National Commission on the Control of Intelligence Techniques 2.3.2. Data protection authorities (Commission nationale de contrôle des techniques de renseignement, CNCTR), which replaced the current Data protection authorities also constitute expert National Commission on the Control of Security Inter- bodies in the context of oversight. They play a funda- ception (Commission nationale de contrôle des intercep- mental role in safeguarding the right to the protection of tions de sécurité).349 The law strengthened the powers personal data. This role is enshrined in EU primary and of the new commission, which comprises nine members: secondary law, notably in Article 8 (3) of the Charter and two members of the National Assembly, two senators, Article 16 (2) of the TFEU, as well as in Article 28 of the two members of the Council of State, two judges of the Data Protection Directive.353 Similarly, the principle of Court of Cassation and one member with technical skills compliance control by an independent body is endorsed in the Explanatory Report of Council of Europe Conven- tion 108, and was eventually laid down in its Additional Protocol 181 of 2001. Moreover, in some Member States, 345 Cameron, I. (2011), pp. 280 and following. 346 Sweden, Act on the Foreign Intelligence Court (2009:966) (Lagen om Försvarsunderrättelsedomstol (2009:966)), 350 For a discussion of concerns expressed by former CNCIS 15 October 2009 and Sweden, Regulation 2009:968 presidents about the increase in number of members – with instructions for the Foreign Intelligence which could affect the efficiency of the decision- Court (Förordning (2009:968) med instruktion för making process – see Dewost, J.-L., Pelletier, H. and Försvarsunderrättelsedomstolen), 15 October 2009. Delarue, J.-M. (2015), p. 19. 347 Sweden, Act on Signals Defence Intelligence, Section 10. 351 France, Interior Security Code, Art. L. 801–1 (5) and 348 Sweden, The Swedish Commission on Security and Integrity Art. L. 833–5. Protection, http://www.sakint.se/InEnglish.htm 352 Ibid., Art. L. 833-11. 349 France, Interior Security Code, Art. L. 831-1 to Art. L. 833–11. 353 Data Protection Directive.

46 Oversight of intelligence services

compliance control by an independent body is laid down the DPAs with the full range of powers listed above. in the Constitution (Greece and Portugal).354 It means that the legislators have not distinguished between intelligence services and other categories of The Court of Justice of the European Union (CJEU) held data controllers in the public sector. in a series of judgments that supervision by DPAs is an essential component of the right to personal data pro- DPAs have no powers over intelligence services in 12 tection – more recently in judgments invalidating the Member States (the Czech Republic, Denmark, Estonia, Data Retention Directive and the Commission’s Decision Latvia, Luxembourg, Malta, the Netherlands, Portugal, on Safe Harbour principles.355 The cases show that, in Romania, Slovakia, Spain, and the United Kingdom). accordance with Article 8 (3) of the Charter and Arti- They are either expressly excluded by the general data cle 28 of the Data Protection Directive, DPAs shall act in protection law or by specific laws on the functioning of full independence, in particular from the government.356 the national intelligence services. In Latvia, for instance, the general data protection law states that the DPA is Article 28 of the Data Protection Directive endows DPAs not competent to supervise files classified as “official with the powers deemed necessary to hear claims relat- secrets”. Personal data processed by the intelligence ing to the lawfulness of data processing and the protec- services fall entirely within this scope, as the Investi- tion of rights regarding the processing of personal data. gatory Operations Law stipulates.358 In the United King- For effective compliance control, Article 28 (2) and (3) dom, the Information Commissioner pointed out in his of the Data Protection Directive give advisory powers written submissions to the Intelligence and Security to DPAs when Member States draw up legislative or Committee of Parliament that, while surveillance entails administrative measures, as well as powers of investi- significant privacy and data protection concerns, when gation (access and collection of necessary information), national security is invoked, many exceptions to the intervention (ordering corrective measures, banning data protection rules can apply.359 data processing, warning or admonishing the data controller, referring the matter to national parliaments and In Luxembourg, the DPA itself is not competent to super- other political institutions), and engagement in legal vise the intelligence service, but the supervisory author- proceedings. DPA decisions may be subject to judicial ity competent to supervise data processing related to control. Additional Protocol 181 to Convention 108 also state security, defence and public safety comprises the provides for these powers – except for advisory power, Chief State Prosecutor and two members of the DPA.360 which is merely mentioned in the explanatory report This interesting solution ensures that the oversight body to the protocol.357 is knowledgeable on data protection requirements.

FRA findings show that, compared to other fields of In nine Member States (Belgium, Cyprus, France, Ger- data processing activities and other data controllers of many, Greece, Ireland, Italy, Poland, Lithuania), DPAs have the public and private sector, DPAs in most Member limited powers over intelligence services. While these States have no competences over national intelligence DPAs have the power to issue non-binding recommenda- services, or their powers are limited. As highlighted ear- tions on general matters related to national intelligence lier, both the Data Protection Directive and the e-Privacy services’ surveillance, limitations vary considerably by Directive are subject to the national security exemption. Member State. Some are formal and do not really affect Regulation of the competence of DPAs in respect of the DPAs’ powers, while others are more substantive. The intelligence may, however, be provided in national law. wider the limitations, the narrower the powers.

In seven Member States (Austria, Bulgaria, Croatia, Fin- Formal requirements in Cyprus or Greece, for example, land, Hungary, Slovenia, and Sweden) DPAs have the set forth that an on-site inspection can only take place same powers over national intelligence services as they if the DPA head is present.361 Similarly, in France only do over any other data controller. This does not necessarily mean that national legislators have endowed 358 Latvia, Investigatory Operations Law (Operatīvās darbības likums), 16 December 1993, Art. 24. 354 FRA (2010), Section 6.1, p. 47. 359 United Kingdom, Information Commissioner’s Office (2014). 355 CJEU, Joined cases C-293/12 and C-594/12, Digital Rights 360 Luxembourg, Act of 2 August 2002 on the protection of Ireland and Seitlinger and others, 8 April 2014, para. 68; persons with regard to the processing of personal data CJEU, C-362/14, Maximillian Schrems v. Data Protection (Loi du 2 août 2002 relative à la protection des personnes Commissioner, 6 October 2015, para. 41 and 66. à l’égard du traitement des données à caractère personnel), 356 CJEU, C-518/07, European Commission v. Federal Republic of 2 August 2002, Art. 17 (2). Germany [GC], 9 March 2010, paras. 23 and 30, CJEU, C-614/10, 361 Cyprus, Law No. 138 [I] 2001 on the Processing of Personal Commission v. Austria, 16 October 2012, paras. 36–37; CJEU, Data (Ο Περί της Επεξεργασίας Δεδομένων Προσωπικού C-288/12, Commission v. Hungary, 8 April 2014, paras. 47–48; Χαρακτήρα (Προστασία του Ατόμου) Νόμος), as amended, CJEU, Joined cases C-293/12 and C-594/12, Digital Rights Ireland Art. 23 (1) (h). Greece, Data Protection Law 2472/1997 and Seitlinger and Others, 8 April 2014, para. 68. (Νόμος 2472/1997 για την προστασία του ατόμου από 357 Council of Europe, Convention 108, Additional Protocol, την επεξεργασία δεδομένων προσωπικού χαρακτήρα), para. 16. 10 April 1997, as amended, Art. 19 (1) (h).

47 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

a DPA commissioner who has been a member of the if doing so would harm the security of the Federation Council of State, the Court of Cassation or the Court of or a Land. Auditors may carry out an investigation.362 In Germany the law stipulates that, in place of the head, an officer Some DPAs lack the power to handle complaints of indi- duly authorised in writing may carry out this task.363 Such viduals related to data processing activities by intelli- formal limitations – especially those requiring the heads gence services, or to issue binding decisions (Belgium, of the DPAs to be present during an on-site inspection – Poland).366 may indeed hamper the organisation of the DPA’s work. In Germany, the G 10 Commission can request the When vested with exercising individuals’ right to access federal DPA to provide an opinion on issues related their own data, such as in Belgium, France or Italy, DPAs to data-protection safeguards when performing its are merely permitted to inform an individual that the tasks.367 In principle, however, the G 10 Commission necessary checks have been made, but not which data is exclusively competent to monitor the data process- have been processed, if such information affects the ing of the services under its supervision.368 For the so- security of the state. In Italy, when investigating a com- called ‘open-sky’ data, which are not controlled by plaint and accessing classified documents, the DPA shall the G 10 Commission, the federal DPA should in prin- not inform the individual of the investigation’s outcome ciple be competent to supervise whether data pro- if such information may affect state security. The DPA tection safeguards are respected by the intelligence may, however, request that appropriate measures be service (BND), which should facilitate its work.369 That adopted, just as it may when handling complaints not said, this matter is subject of on-going discussions, related to intelligence services. including before the NSA Committee of Inquiry of the German Federal Parliament.370 Other limitations are linked with core powers. Data processing activities by intelligence services may be wholly Finally, according to FRA data, the Lithuanian DPA’s (Belgium) or partially (France) excluded from the notifi- powers cannot be clearly defined because the word- cation requirement of controllers to DPAs.364 ing of the data protection law in conjunction with the specific law on the national intelligence services is Investigatory powers, especially the powers to request inconclusive.371 and/or access data and premises, are also limited (France, Germany, Ireland and Poland).365 In Ireland, for Table 3 presents a synopsis of the abovementioned instance, the DPA cannot access premises and data, findings. or request data that, in the opinion of the Minister or the Minister of Defence, are processed to safeguard The Article 29 Data Protection Working Party (WP29), state security. In Germany, such access may be denied which represents all EU DPAs, in 2014 twice stressed that effective and independent supervision of intelligence services is necessary. The WP29 recommended 362 France, Law No. 78-17 of 6 January 1978 on that this supervision be carried out by DPAs themselves, information technology, data files and civil liberties or with their genuine involvement.372 Similarly, the (Loi n. 78-17 du 6 Janvier 1978 relative à l’informatique, aux th fichiers et aux libertés), 6 January 1978, Art. 41 (2). See also 36 International Conference of Data Protection and Pri- France, CNIL (2015), p. 47. vacy Commissioners called for all electronic surveillance 363 Germany, Federal Data Protection Act programmes to comply with the 2009 Madrid Interna- (Bundesdatenschutzgesetz), 14 January 2003, as amended, Section 24 (4). tional Standards on the Protection of Personal Data and 364 Belgium, Data Protection Act (Loi relative à la protection de la vie privée à l’égard des traitements de données à caractère personnel), 1 April 1993, as amended, Art. 3 (4) in conjunction with Art. 17; France, Law No. 78-17 of 366 In Belgium, the DPA generally does not have the power to 6 January 1978 on information technology, data files and handle complaints and issue binding decisions vis-a-vis NIS; civil liberties, Art. 26 (3), in conjunction with France, Decree see Belgium, Data Protection Act, Art. 3 (4) in conjunction No. 2007-914 for application of Article 30 of Law No. 78–17 with Art. 31 and Arts. 29 and 30. In Poland, the DPA relating to information technology, files and freedoms generally does not have the power to handle complaints (Décret n°2007-914 pris pour l’application du I de l’article 30 and issue binding decisions, see Poland, Data Protection de la loi n° 78-17 du 6 janvier 1978 relative à l’informatique, Act 1997, Art. 43 (2) in conjunction with Arts. 12, 15–18. aux fichiers et aux libertés), 15 May 2007. 367 Germany, G 10 Act, Section 15 (5). 365 France, Law No. 78-17 of 6 January 1978 on information 368 Germany, Federal Data Protection Act, Section 24 (2). technology, data files and civil liberties, Art. 44, in 369 See de With, H. and Kathmann, E. (2011) p. 227. conjunction with France, Decree No. 2007-914 for 370 Krempl, S. (2015). application of Article 30 of Law No. 78-17 relating to 371 Lithuania, Law on Legal Protection of Personal Data information technology, files and freedoms; Germany, (Lietuvos Respublikos asmens duomenų teisinės apsaugos Federal Data Protection Act, Section 24 (4); Ireland, Data įstatymas), No. X-1444, 1 February 2008, as amended, Protection Act, 13 July 1988, as amended, Section 12 (4) (b) Art. 1 (5); in conjunction with Lithuania, Law of the Republic and 24; Poland, Data Protection Act 1997 (Ustawa of Lithuania on Intelligence, Art. 24. o ochronie danych osobowych), 30 April 1998, Art. 43 (2) in 372 Article 29 Working Party (2014b), p. 13; Article 29 Working conjunction with Art. 14 (1) (3) (5). Party (2014a), p. 3.

48 Oversight of intelligence services

Table 3: DPAs’ powers over national intelligence services, EU-28

EU Member Same powers (as over No powers Limited powers State other data controllers)

AT X

BE X

BG X

CY X

CZ X

DE X

DK X

EE X

EL X

ES X

FI X

FR X

HR X

HU X

IE X

IT X

LT X

LU X

LV X

MT X

NL X

PL X

PT X

RO X

SE X

SI X

SK X

UK X

TOTAL 12 7 9

Notes: No powers: refers to DPAs that have no competence to supervise NIS. Same powers: refers to DPAs that have the exact same powers over NIS as over any other data controller. Limited powers: refers to a reduced set of powers (usually comprising investigatory, advisory, intervention and sanctioning powers) or to additional formal requirements for exercising them. Source: FRA, 2015

49 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

Figure 4: Specialised expert bodies and DPAs across the EU-28

Specialised expert bodies

DK AT BG BE DE LU LV MT HR SE EL FR NL PT UK

DPA with same powers* DPA with limited powers DPA with no powers

FI HU CY IE IT CZ EE SI LT PL ES RO SK

No specialised expert bodies

Note: * as over other data controllers Source: FRA, 2015

Privacy.373 The Madrid Standards establish a proposal for data protection authorities.376 Moreover, the Federal a universal data protection instrument, including rules Data Protection Commissioner highlighted gaps result- on independent supervisory authorities.374 ing from the fragmentation of the oversight system, and asked the legislator to amend the legal framework. In Germany, the federal and state (Länder) Data Protec- The Federal DPA also emphasised that effective con- tion Commissioners adopted two resolutions proposing trol requires adequate human resources and technical measures for better protection of personal data and know-how.377 privacy. One asked parliament to remove the current oversight system’s deficiencies.375 Initiating an inves- Where the law prevents DPAs from overseeing the work tigation, for instance, is a necessary power of any of intelligence services, this should not prevent over- DPA and should be provided for by law. The resolution sight bodies from engaging with DPAs. For instance, also asked to embed DPAs in the oversight system of the Dutch oversight body met the DPA in the context intelligence services, thus taking advantage of their of its review report on the processing of communica- expertise. These calls build on a Federal Constitutional tions data by the intelligence services.378 Court (Bundesverfassungsgericht) judgment on the anti-terrorism data file, which held that in a surveil- An example of a prompt, practical reaction after the lance system that is not open to scrutiny by individuals, Snowden revelations is the Memorandum of Under- an effective oversight system must be in place. When standing (MoU), signed in 2013 by the Italian DPA and various intelligence services exchange data, there must the intelligence services. The MoU lists the files subject also be enhanced cooperation among the supervisory 376 Germany, Federal Constitutional Court, BvR 1215/07, 24 April 2013. 377 Germany, Federal Commissioner for Data Protection 373 International Conference of Data Protection and Privacy and Freedom of Information (Bundesbeauftragter für Commissioners, 36th (2014). Datenschutz und Informationsfreiheit) (2013), Section 7. 374 International Conference of Data Protection and Privacy For the latest developments, see Germany, Federal Commissioners, 31st (2009). Commissioner for Data Protection and Freedom of 375 Germany, Konferenz der Datenschutzbeauftragten des Information (2015), Section 2. Bundes und der Länder, 88th (2014). 378 The Netherlands, CTIVD (2014a), pp. 12–13.

50 Oversight of intelligence services

to inspection by the DPA, and provides rules on the DPA’s access to the premises and files, the secure stor- ECtHR case-law: Expert bodies as age of intelligence information at the DPA’s premises, alternatives to judicial supervision and the implementation by the intelligence services of the DPA’s findings. Finally, it provides for the possibility “The Court has indicated, when reviewing legislation gov- of the intelligence services consulting the DPA beyond erning secret surveillance in the light of Article 8, that what is currently laid down in the legal framework.379 in a field where abuse is potentially so easy in individ- Regrettably, the MoU’s content is classified and not pub- ual cases and could have such harmful consequences for licly available. democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge […]. However, […] In terms of how specialised expert bodies and DPAs the Court was prepared to accept as adequate the inde- complement each other, Figure 4 further illustrates the pendent supervision available. In Klass and Others, this great diversity of oversight mechanisms across the EU. included a practice of seeking prior consent to surveillance It also raises several questions, such as: How do expert measures of the G 10 Commission, an independent body bodies and DPAs that have the same powers over intel- chaired by a president who was qualified to hold judicial ligence services that they have over other data control- office and which moreover had the power to order the lers collaborate in practice in the four Member States immediate termination of the measures in question […]. In where this situation exists? On the opposite end of Kennedy v. UK […] the Court was impressed by the inter- the spectrum, how is oversight undertaken in the five play between the Investigatory Powers Tribunal (“IPT”), an Member States that have not established a specialised independent body composed of persons who held or had expert body or given their DPA competence to oversee held high judicial office and experienced lawyers which the intelligence services? The current FRA legal com- had the power, among other things, to quash interception parative analysis cannot answer these questions. They orders, and the Interception of Communications Commis- will be addressed in forthcoming fieldwork. sioner, likewise a functionary who held or had held high judicial office […] and who had access to all interception warrants and applications for interception warrants […].”

2.4. Approval and review of ECtHR, Telegraaf Media Nederland Landelijke Media B.V. and Others v. the surveillance measures Netherlands, No. 39315/06, 22 November 2012, para. 98 One way to ensure surveillance measures are carried out lawfully is to allow for ex ante control by a suitable Table 4 presents the various bodies responsible for ex authority through prior approval or warranting. ante approval in the EU Member States in the context of targeted surveillance. Table 5 presents similar data in the five Member States that have detailed laws on sig- UN good practice on intelligence collection nals intelligence. Some states have also established an and oversight ex post independent review of the surveillance measures, judicial or otherwise. Practice 22. Intelligence-collection measures that impose significant limitations on human rights are authorized and overseen by at least one institution that is external to and In the case of targeted surveillance, a warrant may independent of the intelligence services. This institution only be granted on the basis that the surveillance will has the power to order the revision, suspension or termi- target a specified individual or group. The UN Special nation of such collection measures. Intelligence collection Rapporteur on the promotion and protection of human measures that impose significant limitations on human rights and fundamental freedoms while countering ter- rights are subject to a multilevel process of authorization rorism states, “With targeted surveillance, it is possi- that includes approval within intelligence services, by the ble to make an objective assessment of the necessity political executive and by an institution that is independ- and proportionality of the contemplated surveillance, ent of the intelligence services and the executive. weighing the degree of the proposed intrusion against UN, Human Rights Council, Scheinin, M. (2010) its anticipated value to a particular investigation.”381 However, bulk access to digital communications does As stated by Born and Wills, “Oversight is a catchall term not allow for an individualised proportionality analysis, that encompasses ex ante scrutiny”.380 and “[e]x-ante security is therefore possible only at the highest level of generality”.382

Though all Member States provide for this approval in some form or another, just over half charge the 379 Italy, Italian Government (2013). See also COPASIR (2014), p. 19. 380 Born, H. and Wills, A. (eds.), Geneva Centre for the 381 UN, Human Rights Council, Emmerson, B. (2014), para. 7. Democratic Control of Armed Forces (DCAF) (2012), p. 6. 382 Ibid., para. 12

51 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

Table 4: Prior approval of targeted surveillance measures, EU-28

EU Member Judicial Parliamentary Executive Expert bodies None State AT X BE X BG X CY X CZ X DE X DK X EE X EL X ES X FI X FR X HR X HU X X X IE X IT X LT X LU X LV X MT X NL X PL X PT* RO X SE** SI X X SK X UK X

Notes: * The Portuguese intelligence service is prohibited from undertaking surveillance; the Constitution only allows public authorities to interfere with correspondence, telecommunications or other means of communication in criminal proceedings, which the intelligence service is not allowed to conduct. ** Sweden’s security and intelligence services do not carry out targeted surveillance. The security service processes and analyses data collected by law enforcement through secret wiretapping and intercepted traffic data, while the signals intelligence agency gathers signals intelligence (see Annex). Source: FRA, 2015

judiciary (judges or prosecutors) with the approval measures, consideration may be given to quasi-judi- process, while others charge ministers, prime min- cial models. isters, and expert bodies. The Council of Europe’s Commissioner for Human Rights stated that, given In France and in Luxembourg, the prime minister author- the difficulties that may arise when seeking to evalu- ises the surveillance of communications. In Luxembourg, ate judicial decisions on the authorisation of intrusive the prime minister needs the assent of a commission

52 Oversight of intelligence services

composed of the President of the Superior Court of Jus- preventing efforts pertaining to terrorism by foreign tice, the President of the Administrative Court, and the powers. Hungary’s authorisation legislation, specifically President of the District Court.383 In France, the CNCTR Act No. XXXIV of 1994 on the police and the “sweeping gives a non-binding opinion (avis) to the Prime Minister prerogatives” granted to the Minister of Justice when either within 24 or 72 hours.384 In the United Kingdom,385 authorising surveillance, is currently under challenge Malta,386 Hungary387, Ireland,388 and the Netherlands,389 before the ECtHR.392 approval comes from ministers. Similarly, there are two ways of gathering intelligence Only three countries – Austria, Belgium and Germany – in Slovenia, and one requires a court order, whereas the have tasked their expert bodies (the Legal Protec- other does not. The latter, which comprises Slovenia’s tion Commissioner, Administrative Commission and SIGINT activities, or surveillance of international com- G 10 Commission, respectively) with approving tar- munication systems, is authorised by the director of the geted surveillance measures. In other Member States, Slovenian Intelligence and Security Agency (SOVA). 393 expert bodies sometimes have an advisory role, such Court orders, on the other hand, are required for the as in France or the Netherlands. While in France the interception and wiretapping of private correspondence, CNCTR gives an ex ante opinion, in the Netherlands, the and are authorised by the President of the Supreme CTIVD does not have an ex ante advisory role, but does Court. For the court order to be issued, a danger to review surveillance measures after they are approved state security must exist. It must also be reasonable to by the responsible minister. Its opinion, however, is expect that, in connection with the activity that is to be non-binding.390 put under surveillance, telecommunications is being or will be used; and to conclude that information cannot Hungary’s approval process rests with different be collected in any other way, or that doing so would authorities, depending on the surveillance measure.391 endanger people’s lives or health.394 No authorisation is necessary to tap conversations in public spaces (or gather communications data from In Austria, a Legal Protection Commissioner (RSB) was communications systems and data storage devices). established to afford citizens another level of protec- The Minister of Justice must authorise, among others, tion in the context of secret investigations carried out the tapping of public lines, interception of post, and without their knowledge.395 The RSB needs to approve access to data stored on IT devices or systems. How- covert investigations (verdeckte Ermittlung), or covert ever, the above activity must be authorised by judges audio and video recording, in the context of the obser- when it is carried out by the intelligence services to vation of groups thought to present a serious danger facilitate, amongst others: detecting — before an to public security through acts of religiously or ideo- investigation is ordered — crimes enumerated in the logically motivated violence. The Federal Minister of Act on the National Security Services; revealing and the Interior seeks the RSB’s opinion during operative preventing covert efforts to alter/disturb the legal and strategic analyses of personal data. This type of order of Hungary by unlawful means; collecting infor- analysis is performed in the defence against criminal mation on illicit arms dealing representing a threat to organisations or to prevent dangers emanating from the national security, or on terrorist organisations threaten- preparation or commission of criminal offences. The RSB ing the security of the armed forces; or revealing and has to provide an opinion on each surveillance measure. Once the opinion has been provided, the analysis can be conducted.396 383 Luxembourg, Ministry of Justice (Ministère de la Justice), Criminal Investigation Code (Code d’Instruction Criminelle), as amended on 15 April 2015, Art. 88-3. In Spain, Article 18 (3) of the Constitution states that only 384 France, Interior Security Code, Art. L. 821–1 and Art. L. 821–3. the competent judicial authorities may authorise meas- See also Dewost, J.-L., Pelletier, H. and Delarue, J.-M. (2015), p. 28 and following. ures that affect the right to secrecy of communications. 385 United Kingdom, Regulation of Investigatory Powers While the Spanish Code of Criminal Procedure refers Act 2000, Section 7 (1) (a). to targeted surveillance carried out during a criminal 386 Malta, Security Service Act, Chapter 391 of the Laws of Malta, 26 July 1996, as amended on 6 September 1996, investigation where an individual is already suspected Art. 8 (1) (a). of being involved in a crime and which is warranted by 387 Hungary, Act CXXV of 1995 on the National Security Services, Section 58 (2). 388 Ireland, Interception of Postal Packets and 392 ECtHR, Szabo and Vissy v Hungary, No. 37138/14, Telecommunications Messages (Regulation) Act, communicated on 12 June 2014. 6 June 1993, Section 2 (2) (a). 393 Slovenia, Intelligence and Security Agency Act, Art. 21. 389 The Netherlands, Intelligence and Security Services Act 394 Slovenia, Intelligence and Security Agency Act, Art. 24. 2002, Art. 25, paras. 1-6. 395 Austria, Police Powers Act, Sections 91 (a)–91 (d). 390 For changes proposed to the law, see The Netherlands, 396 In October 2015, the Austrian Parliament will discuss a bill Draft law on the Intelligence and Security Services 20XX. amending the Police Powers Act (Sicherheitspolizeigesetz). See also The Netherlands, CTIVD (2015), p. 29. This bill suggests important changes affecting the way 391 Hungary, Act CXXV of 1995 on the National Security surveillance measures will be authorised. See Austria, State Services, Sections 57 (1), 58 (1) and 58 (2). Security Bill.

53 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

an ordinary judge, 397 the Spanish National Intelligence operations.402 Latvia, therefore, has double-tiered judi- Centre must get permission from a Supreme Court judge cial involvement in the work of the intelligence services. when carrying out measures that target communica- This kind of review also occurs in Greece and Ireland. tions. When requesting such authorisation, the Spanish In Greece, a public prosecutor is specially appointed to National Intelligence Centre has to provide information the intelligence service and tasked with supervising on the specific nature of the measures; articulate the the legality of the special operational activities.403 In facts, purposes and reasons underlying the adoption Ireland, it is a designated judge of the High Court who of such measures; identify the person/s who will be carries out ongoing oversight, supervising whether sur- affected by the surveillance measure, if they are known; veillance, which is carried out by a special police unit, and specify the duration of the requested measures.398 is undertaken lawfully.404 Worthy of mention is that the judicial decision must always state the grounds on which it is approved or dis- By contrast, collection of signals intelligence – at least missed. This is also the case for approvals of the use of during its initial stages – targets not an individual but special intelligence means in Bulgaria.399 Requiring rea- rather large flows of data. Search terms, also known soned decisions helps avoid mere rubber-stamping, and as selectors, are later applied to the bundles of data to ensures that judges take the time to study the merits draw out information relevant to the work of the intel- of granting the measures. ligence services. Table 5 presents the bodies in charge of approving signals intelligence collection in the five However, most countries’ laws include provisions per- Member States that have detailed legislation on SIGINT. mitting the primary authority to postpone approvals in exceptional cases. In Latvia, for instance, when there In Sweden and Germany, an expert body is in charge of is a need to act without delay to prevent a threat to authorising the intelligence services to gather signals vital public interests, such as an act of terrorism or sub- intelligence. In Sweden this is carried out by the For- versive activity, a murder or other serious crime, or if eign Intelligence Court, which has eight members, two there is an actual threat to the life, health, or property of whom are former judges (the chair and vice chair), of a person, surveillance can be initiated without the and six of whom are lay members (there can be as few judge’s approval. In its stead, a prosecutor must be noti- as two and as many as six lay members in total), mainly fied within 24 hours and the judge’s approval must be former politicians.405 The court must be composed of at received within 72.400 least the chair and two lay members, and no more than three members may decide its rulings.406 Other countries, such as Poland and Romania, have a two-tiered system of judicial approval. In Romania, The government appoints all members. The chair and the intelligence services must first obtain approval from vice chair (presently only one vice chair, but there could the Prosecutor General, who then applies for authori- be two) are appointed in the same manner as regular sation to the High Court of Cassation and Justice if the judges, after an open recruitment process led by the application is well grounded.401 The Prosecutor General Judges’ Board (Domarnämnden).407 The other members may also authorise surveillance measures in cases of are appointed after the parties represented in parlia- emergency (for a maximum of 48 hours), as long as ment consult with each other.408 Lay judges should authorisation from the court is requested as soon as have special knowledge of court matters. The interests possible. This system allows for the legitimacy of the of individuals are represented by lawyers appointed measures to be studied twice before being authorised. for a four-year period. The court may declare that its

Once the surveillance measures have been approved, they must be carried out lawfully. In Latvia, for instance, once the Chairman of the Supreme Court or a designated Supreme Court judge has approved a surveil- 402 Latvia, Investigatory Operations Law, Art. 19 (2) 1. lance measure, the Prosecutor General and his or her 403 Greece, Law 3649/2008, National Intelligence Service (EYP) and other provisions (Eθνική Υπηρεσία Πληροφοριών και designated prosecutors carry out continuous oversight. άλλες διατάξεις), 3 March 2008, Art. 5 (3). They have the right to examine documents, mate- 404 Ireland, Interception of Postal Packets and rial and information at any stage of the investigatory Telecommunications Messages (Regulation) Act, Section 8. 405 The court currently includes one former Minister of Justice. 406 Sweden, Act on the Foreign Intelligence Court, Section 9. 397 Spain, Code of Criminal Procedure (Ley de Enjuiciamiento 407 This is a government agency with a board consisting of Criminal), Art. 579. nine members. Five members should have been judges, 398 Spain, Organic Law Regulating a priori judicial control of the two should practice law outside of the court system (and National Intelligence Centre, single article. one of these should be ‘advokat’ (member of the bar)), and 399 Bulgaria, Special Intelligence Means Act, Art. 15 (1). the remaining two should represent ‘society’ (presently 400 Latvia, Investigatory Operations Law, Art. 7 (5). two members of the national parliament). See http://www. 401 Romania, Law No. 51/1991 concerning the national security domstol.se/Om-Sveriges-Domstolar/Domarnamnden/ of Romania (Legea nr. 51/1991 privind securitatea nationala Om-Domarnamnden/Domarnamndens-ledamoter/. a Romaniei), 29 July 1991, Arts. 15 (3) and (4). 408 Venice Commission (2015), p. 36.

54 Oversight of intelligence services

Table 5: Approval of signals intelligence in France, Germany, the Netherlands, Sweden and the United Kingdom

EU Member Judicial Parliamentary Executive Expert State

DE X (telco relations) X (selectors)

FR X

NL X (selectors)

SE X

UK X

Source: FRA, 2015 sessions are not public, and its decisions may not be collection of information” and not merely to the access appealed.409 to such data.413 The Dutch system also takes a different approach to that recommended by the Venice Com- In Germany, on the other hand, strategic surveillance – mission: that the application of selectors to data, and the interception of international telecommunications therefore the authorisation of targeted surveillance, be between foreign countries and Germany – is authorised done by a judicial body or a hybrid body composed of by the Parliamentary Control Panel and the G 10 Com- judges and experts.414 mission. The intelligence service is required to channel its request with proper justification and specification In contrast, warrants in the United Kingdom are of the selectors used through the Ministry of Interior. authorised by the corresponding Secretary of State. The request needs the approval of the Control Panel, Such warrants address communications collection. An specifically regarding the selection of “telecommuni- accompanying certificate specifies which of the col- cation relations”, i.e. the geographical regions of inter- lected communications can be examined. However, est.410 A strategic surveillance request cannot concern the Intelligence and Security Committee of Parliament more than 20 % of the overall transmission capacity of found that the categories identified in the certificates a given transmission channel (Section 10 (4) of the G 10 are very broad.415 Warrants for the interception of com- Act). The surveillance order is valid for three months and munications are authorised by the Home Secretary can be renewed for the same period once, if the condi- if the warrant is applied for by the Security Service tions for the initial approval are maintained. The G 10 (or MI5), or by the Foreign Secretary if the warrant is Commission then ensures the surveillance is “permis- applied for by the Security Intelligence Service (or MI6) sible and necessary” by approving the list of selectors or GCHQ. Under the Regulation of Investigatory Powers to be used to filter the data.411 Act (RIPA), only ‘external’ communications (which are those that begin and/or end outside the British Isles, The Netherlands does not require authorisation when also referred to as “one-end foreign” warrants) can be the services collect non-cable bound communica- collected in bulk.416 The warrants issued by the Secre- tions, which include satellite and radio transmissions. tary of State must cover the sources that can be tar- However, once the data has been narrowed down or geted and the types of material that can be accessed keywords are applied, ministerial approval becomes from the intercepted material. This distinction between necessary.412 The CoE Commissioner for Human Rights, internal and external is not always clear, however, since among others, recommends that “independent ex ante the British government interprets ‘external commu- authorisation should be extended to untargeted bulk nications’ to include those which are routed via foreign companies, such as Facebook or Twitter, as well as accessing foreign websites. This lack of clarity was 409 Sweden, Act on the Foreign Intelligence Court, Sections 3, evidenced by the Intelligence and Security Commit- 5, 6, 9, 14 and 16. Details are provided in Sweden, Regulation 2009:968 with instructions for the Foreign tee’s finding that these communication categories are Intelligence Court. The website of the Court is available in Swedish only, http://www.undom.se/. The Court was established in 2009, replacing a previously exisiting Signals 413 Council of Europe Commissioner for Human Rights (2015), Intelligence Board. p. 9. 410 Germany, G 10 Act, Sections 5 and 8. See also Germany, 414 Venice Commission (2015), p. 6. Parliamentary Control Panel Act. 415 United Kingdom, Intelligence and Security Committee of 411 Germany, G 10 Act, Section 15 (5). Parliament (ISC) (2015), pp. 37–38. 412 The Netherlands, Intelligence and Security Services Act 416 United Kingdom, Regulation of Investigatory Powers Act 2002, Art. 26. 2000, Section 8 (4).

55 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

confusing also for members of government.417 Moreo- taken.421 Though the committee shared the Home Sec- ver, although the warrant must be targeted at external retary’s opinion, the Independent Reviewer of Terrorism communications, the incidental interception of internal Legislation did not. In his exhaustive report, he recom- communications is permitted. Once communications are mended that Judicial Commissioners be created. These intercepted, no distinction is made as to subsequent use would be in charge of warranting surveillance judicially, or analysis.418 In’t Veld and Ernst hypothesise that, as and would therefore replace the Secretaries of State a result of this action, “as the world becomes more and in the warranting process.422 Cameron and the Council more wired and interconnected, these [personal digi- of Europe Commissioner for Human Rights have sug- tal] data are increasingly stored and transmitted freely gested another alternative worth contemplating: sep- across borders and through transit countries, leading to arating the tests of whether surveillance is necessary an unclear situation regarding jurisdiction and diminish- and appropriate from the test of whether it is lawful by ing the relevance of national legislation and of national requiring both ministerial and judicial authorisation.423 oversight”.419 This would allow the executive to maintain some form of control while protecting against political abuse. A similar debate occurred in France in relation to international surveillance.420 When it comes to SIGINT, as It is therefore clear that, as a general rule, when tar- prescribed by Article L. 851–3 of the Interior Security geting communications’ content data, prior approval Code, the prime minister authorises the automatic is required in most Member States for both targeted processing based on selected parameters. The CNCTR surveillance and the use of selectors in the context of provides the prime minister with a non-binding opin- SIGINT. This changes, however, when intelligence ser- ion on both the automatic processing and the param- vices solely access metadata via data retention laws eters. The oversight body is kept informed about every (Croatia,424 Hungary,425 United Kingdom426). In these modification during the operation and has permanent, cases, it is usually sufficient for the services’ directors complete and direct access to this processing and the to authorise access. This is problematic, because com- intelligence gathered. The first authorisation is valid munications data do in fact reveal an individual’s per- for two months. It is renewable, but the prolongation tinent personal information in a similar way to content request should include the number of relevant targets data.427 This situation may change, however, since these obtained by the automatic processing and an analysis of laws have been challenged in several Member States. their relevance. Should this data reveal the existence of The Dutch Review Committee found that analysis of a terrorist threat, the CNCTR provides the prime minis- communications using metadata should be further safe- ter with its opinion on his/her authorisation to identify guarded by providing for internal (in the service) or the relevant targets. Pursuant to Article L. 851-3 V of external (ministerial) approval procedures. The services the Interior Security Code, absolute emergency (Arti- should have to substantiate that the processing fulfils cle L. 821-5) cannot be put forward to authorise this the requirements of necessity, proportionality and sub- surveillance measure without the CNCTR opinion. sidiarity for it to be lawful.428

What constitutes best practice in this area is a highly debated issue. In the series of enquiries held in Octo- ber 2014 by the Intelligence and Security Committee of the British parliament, representatives of civil liberties organisations questioned the Secretary of State as a higher authority than a judge, since judges are independent of political pressure. The Home Secretary, however, who, as stated above, is responsible for authorising warrants for the interception of communications by MI5, responded that intrusions on privacy should be authorised by someone who is accountable directly to the 421 United Kingdom, ISC (2015), pp. 73–76. British people and who has a greater understanding 422 Anderson, D., Independent Reviewer of Terrorism of the wider context in which these actions are being Legislation (2015), p. 280. 423 Cameron, I. (2000), p. 151; Council of Europe Commissioner for Human Rights (2015), p. 63. 417 United Kingdom, ISC (2015), p. 40. 424 Hungary, Act CXXV of 1995 on the National Security 418 United Kingdom, Regulation of Investigatory Powers Act Services, Section 40. 2000, Section 5 (6). See also United Kingdom, Investigatory 425 Croatia, Electronic Communications Act (Zakon Powers Tribunal, Liberty & Others v. the Security Service, o elektroničkim komunikacijama), Official Gazette Narodne( SIS, GCHQ, IPT/13/77/H, 5 December 2014, para. 68 and novine) Nos. 73/08, 90/11, 133/12, 80/13 and 71/14, 1 July following. 2008, as amended, Art. 108. 419 See European Parliament, Committee on Civil Liberties, 426 United Kingdom, Regulation of Investigatory Powers Act Justice and Home Affairs (2013b). 2000, Chapter II. 420 See France, French Data Network (2015), p. 69 and 427 Article 29 Working Party (2010). following. 428 See The Netherlands, CTIVD (2014), p. 97.

56 Oversight of intelligence services

FRA key findings

FRA’s analysis looks at the accountability ■■ Seven Member States have oversight systems mechanisms related to surveillance by intelligence that combine the executive, parliament, the judi- services. It describes in particular how EU Member ciary (via ex-ante approval) and expert bodies. States have established oversight mechanisms. However, these do not include any of the coun- Oversight is a means to ensure public accounta- tries that have legal frameworks allowing signals bility for the decisions and actions of intelligence intelligence collection. services. According to experts, oversight aims to avoid the abuse of power, legitimise the exercise ■■ Effective oversight does not necessarily require of intrusive powers and achieve a better outcome all four types of oversight mechanisms. Such after an evaluation of specific actions. The general oversight can be accomplished as long as the consensus, taken from a Venice Commission report bodies in place complement each other and as and other academic studies, is that oversight should a whole constitute a strong system capable of be a combination of: assessing whether the intelligence services’ mandate is carried out properly. This will occur if • executive control; the oversight powers cover all areas of an intel- • parliamentary oversight; ligence service’s activity. Where the mandate • expert bodies; itself is unclear or insufficiently developed, how- • judicial review. ever, oversight bodies will not be able to exercise any influence. Executive control and coordination between oversight bodies ■■ Access to information and documents by oversight bodies is essential. While information The executive branch can control the intelligence ser- gathered by intelligence services is sensitive, and vices in a variety of ways: by specifying their strate- safeguards must guarantee that it will be dealt gic policies and priorities, or establishing guidelines; with accordingly, oversight bodies cannot carry by nominating and/or appointing the service’s senior out their tasks without first having access to all management; by formulating the budget that parlia- relevant information. The opposite, however, ment will ultimately vote on; or by approving coop- seems to be the norm. eration with other services. The executive plays also a crucial role in authorising surveillance measures in Parliamentary oversight some Member States. Parliamentary oversight is important given the parlia- Effective oversight calls for proper coordination ment’s responsibility to hold the government account- between the various oversight bodies to ensure that able. Parliament, as the lawmaker, is responsible for every aspect of the work of intelligence services is enacting clear, accessible legislation establishing the covered. If oversight bodies do not have a clear, com- intelligence services and specifying their organisa- prehensive understanding of the work of the entire tion, special powers and limitations. It is also in charge national intelligence community, gaps in oversight of approving the intelligence services’ budget, and in will ensue, and the effectiveness of the oversight some Member States scrutinises whether their opera- system as a whole will be hindered. tions are in line with the legal framework.

■■ The diversity among the EU Member States in ■■ FRA findings show that 24 EU Member States terms of politics and legal systems has translated involve parliamentary oversight; in 21 of these, into a great variety of bodies that oversee the special parliamentary committees oversee the intelligence services. EU Member States have intelligence services. Some Member States have vastly different oversight systems. While good set up one parliamentary committee to deal with practices can be drawn from the systems in place, the various security and intelligence services, individual areas would benefit from legal reform whereas others have created various committees enhancing the power of the oversight bodies. to deal with the services individually.

■■ A great assortment of powers are granted to the ■■ No Member State’s parliamentary committee various oversight bodies, and the extent to which is granted unrestricted access to intelligence they may exercise these powers also varies. information.

57 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

■■ The different parliamentary committees in the ■■ In Member States that have an independent body Member States have varying mandates: most to authorise surveillance measures, targeted sur- have traditional oversight powers related to leg- veillance tends to require judicial approval, while islation, the budget and the reception of informa- approval via expert bodies is the other preferred tion on the services’ function, while a select few solution. There is no common approach to over- can handle complaints, make binding decisions seeing signals intelligence collection. on the intelligence services or aid in approving surveillance measures. ■■ While understanding the legal aspects of surveillance is indispensable, expert bodies must also ■■ In terms of parliamentary committees’ power to be technically competent. Some Member States initiate investigations, the laws of most countries ensure this by including experts from a range authorise these committees to request informa- of fields, including information and communication from the intelligence services or the execu- tions technology (ICT). Others rely heavily on tive, but not to demand it. a combination of current or former judges and parliamentarians. Expert oversight In EU Member States, data protection authorities Expert oversight is exceptionally valuable because (DPAs) – specialised bodies called to safeguard pri- it allows individuals who are familiar with the sub- vacy and data protection – have been given a funda- ject, have time to dedicate to the matter, and are mental role in safeguarding personal data. This role independent of political allegiances to scrutinise the is enshrined in EU primary and secondary law. But actions of the intelligence services. According to the expert bodies undoubtedly have recognised exper- Commissioner for Human Rights of the Council of tise in privacy and data protection in the area of Europe, they are often best placed to conduct day- intelligence. to-day oversight over security and intelligence service activity. ■■ FRA findings show that, compared with other data processing activities and data controllers ■■ Although parliamentary oversight is crucial, it of the public and private sector, DPAs in seven must be complemented by other oversight bod- Member States have the same powers over intel- ies, particularly by strong expert bodies that can ligence services as over all other data controllers. oversee operational activities, including the col- In 12 Member States, DPAs have no competence lection, exchange and use of personal data, as over intelligence services, and in nine their pow- well as the protection of the right to private life. ers are limited.

■■ Across the EU, 15 Member States have set up one ■■ In Member States in which DPAs and other or more expert bodies exclusively dedicated to expert oversight bodies share competence, intelligence service oversight. Their competences a lack of cooperation between these may leave include authorising surveillance measures, inves- gaps resulting from fragmented responsibilities. tigating complaints, requesting documents and In Member States where DPAs lack competence information from the intelligence services, and over intelligence services, the oversight body is giving advice to the executive and/or parliament. responsible for ensuring that privacy and data To maximise their potential, they must be granted protection safeguards are properly applied. adequate independence, resources and powers. ■■ Past FRA research in the area of access to data ■■ In some Member States, the authorisation of protection remedies identifies the need to surveillance measures does not involve any insti- improve DPAs’ capacity; this is important in view tutions that are independent of the intelligence of the role DPAs could play in supervising intel- services and the executive. ligence services.

58 3 Remedies

The right to an effective remedy is an essential compo- by intelligence services, the remedial landscape appears nent of access to justice, and allows individuals to seek even more complex. The different remedial avenues redress for the violation of their rights. A remedy must are often fragmented and compartmentalised, and the be ‘effective’ in practice and in law. powers of remedial bodies curtailed when safeguarding national security is involved. In fact, data collected for this research shows that only a very limited number UN good practice on complaints and of cases challenging surveillance practices have been effective remedy adjudicated at the national level since the Snowden revelations. Practice 9. Any individual who believes that her or his rights have been infringed by an intelligence service can bring a complaint to a court or oversight institution, Figure 5 provides a general and theoretical overview such as an ombudsman, human rights commissioner or of the remedial avenues complainants can choose from national human rights institution. Individuals affected by when seeking a remedy in the area of surveillance at the illegal actions of an intelligence service have recourse the national level. It does not cover avenues available to an institution that can provide an effective remedy, to individuals at the European level, such as the ECtHR including full reparation for the harm suffered. or the Petition Committee of the European Parliament.431 UN, Human Rights Council, Scheinin, M. (2010) These options provide remedies for privacy and data protection breaches caused by unlawful surveillance in different ways. Remedies provided by DPAs and some In addition, the existence of mechanisms that handle of the other oversight bodies can subsequently be chal- individual complaints against intelligence services can lenged before the courts. also be seen as bolstering “accountability by highlight- ing administrative failings and lessons to be learned, Various actors have highlighted loopholes in the reme- leading to improved performance”.429 dial landscape. In the United Kingdom, for example, the Information Commissioner pointed out in written As presented by FRA reports on access to remedies submissions to the Intelligence and Security Commit- for violations of data protection and on access to jus- tee of Parliament that “state surveillance of individuals’ tice, a number of remedial avenues are available to vic- communications, be this content or metadata, engages tims of privacy and data protection violations.430 These significant privacy and data protection concerns. The include judicial mechanisms and non‑judicial bodies, [Data Protection Act 1998] provides only limited reas- such as DPAs. The complexity of the remedial land- surance as a wide ranging exemption from its provisions scape does not facilitate the implementation of effec- can be relied on where safeguarding national security tive remedies. is engaged. The current legal and regulatory regime is fragmented and needs review to ensure that it is fit for When an individual wishes to complain about interfer- purpose in providing appropriate and effective oversight ence with his or her right to privacy and data protection and redress mechanisms given the communications

429 Forcese, C. (2012), p. 181. 431 See, for example, European Parliament, Committee on 430 FRA (2011); FRA (2014c). Petitions (2014), No. 1618/2012, 29 August 2014.

59 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

Figure 5: Remedial avenues at the national level

Obligation to ??? Obligation to inform and the right inform and the right to access to access

Data protection authority (DPA) Ombudsperson institutions

Oversight bodies (other than DPAs) with remedial powers

Courts (ordinary and/or specialised)

Source: FRA, 2015

technologies and networks in use today and likely to be in use in the foreseeable future.”432 ECtHR case law: the effective remedy in case of surveillance In addition to the complexity of the remedial landscape, The “authority” referred to in Article 13 [of the ECHR] may recourse to courts raises an issue of specialisation and not necessarily in all instances be a judicial authority in strict procedural rules on evidence and legal standing, the strict sense. Nevertheless, the powers and proce- while recourse to non-judicial bodies raises issues of dural guarantees an authority possesses are relevant in 433 power and independence. determining whether the remedy is effective. Further- more, where secret surveillance is concerned, objective Furthermore, for an individual wishing to seek justice, supervisory machinery may be sufficient as long as the the secret nature of surveillance activities restricts his measures remain secret. It is only once the measures or her awareness about surveillance being carried out have been divulged that legal remedies must become in the first place,434 hence the importance of seeking an available to the individual. effective remedy in a wider context of effective over- ECtHR, Segerstedt-Wiberg and Others v. Sweden, No. 62332/00, sight, as pointed out by the ECtHR in the Segerstedt- 6 June 2006, para. 117 Wiberg and Others v. Sweden case. Further discussion and analysis of the issues outlined 432 United Kingdom, Information Commissioner’s Office (2014), above are provided in subsequent sections, starting p. 9. with a precondition to any remedial action: the obli- 433 Forcese, C. (2012), p. 182. 434 See for example, Dewost, J.-L., Pelletier, H. and gation to inform an individual about surveillance and Delarue, J.-M. (2015), pp. 13 and 30. the right of an individual to access his/her own data.

60 Remedies

However, the analysis in this section, just as in previ- individual to pursue legal remedies to gain access to ous sections, is based on the comparative analysis of personal data relating to him/her, or to obtain the rec- different laws, and is not an assessment of their prac- tification or erasure of such data and so indirectly check tical implementation. This implementation particularly compliance with the law, does not respect the essence depends on how the various exceptions permitted by of the fundamental right to effective judicial protection, national law are invoked. as enshrined in Article 47 of the Charter.439

3.1. A precondition: UN good practice on personal data obligation to inform and Practice 26. Individuals have the possibility to request access to their personal data held by intelligence services. the right to access Individuals may exercise this right by addressing a request to a relevant authority or through an independent The obligation to inform and the right to access one’s data-protection or oversight institution. Individuals have own data can generally be perceived as strong safe- the right to rectify inaccuracies in their personal data. Any exceptions to these general rules are prescribed by guards for ensuring the effectiveness of a remedial law and strictly limited, proportionate and necessary for action, and, ultimately, legal scrutiny by judicial or non- the fulfilment of the mandate of the intelligence service. judicial bodies. From the point of view of the right to It is incumbent upon the intelligence service to justify, to data protection, these safeguards also ensure transpar- an independent oversight institution, any decision not to ency of data processing and the exercise of other rights release personal information. of the individual, i.e. the rectification and/or deletion UN, Human Rights Council, Scheinin, M. (2010) of data being processed unlawfully.435 In the context of surveillance, even with necessary restrictions, the obligation to inform and the right to access also enhance The ECtHR connects the information provision to the transparency and accountability of the intelligence ser- individual with the fact that the information no longer vices and help to develop citizens’ trust in government jeopardises the purpose of the surveillance. actions.436 To safeguard national security, obligations and rights may, in accordance with Article 13 (1) of the Data Protection Directive, be restricted to the extent ECtHR case law: notification and surveillance necessary and properly justified.437 According to the “As regards review a posteriori, it is necessary to deter- CJEU, the judicial review guaranteed by Article 47 of mine whether judicial control, in particular with the in- the Charter first requires full knowledge by the indi- dividual’s participation, should continue to be excluded vidual, and subsequently by the court, of the informa- even after surveillance has ceased. Inextricably linked tion on which the administration based its decision. The to this issue is the question of subsequent notification, adversarial principle shall be complied with, so that the since there is in principle little scope for recourse to the courts by the individual concerned unless he is advised of individual can decide whether there is an argument to the measures taken without his knowledge and thus able make against the national decision. From there the court retrospectively to challenge their legality. [...] [I]t has to may review the national decision. At the same time, be ascertained whether it is even feasible in practice to for overriding reasons connected to state security, it require subsequent notification in all cases. The activity may prove necessary not to disclose certain informa- or danger against which a particular series of surveillance tion to the individual. However, the court shall be able measures is directed may continue for years, even dec- to review whether the invoked reasons are valid, and ades, after the suspension of those measures. Subsequent the national authority shall prove that the disclosure notification to each individual affected by a suspended of the information would compromise state security. measure might well jeopardise the long-term purpose There is no presumption that the reasons invoked exist that originally prompted the surveillance. [I]n so far as and are valid.438 In Schrems v Data Protection Commis- the ‘interference’ resulting from the contested legislation sioner, the CJEU held that the right to access personal is in principle justified […], the fact of not informing the individual once surveillance has ceased cannot itself be data and obtain rectification or erasure of such data incompatible with this provision since it is this very fact belongs to the essence of the right to data protection; which ensures the efficacy of the ‘interference’.” legislation that does not provide any possibility for an ECtHR, Klass and Others v. Germany, No. 5029/71, 6 September 1978, paras. 57–58

435 See also Germany, Federal Constitutional Court (Bundesverfassungsgericht), 1 BvR 2226/94, 14 July 1999, para. 169. 436 UN, Human Rights Council, Scheinin, M. (2010), p. 23. 437 CJEU, C-473/12, Institut professionel des agents immobiliers (IPI) v. G. Englebert et al., 7 November 2013, para. 32. 438 CJEU, C-300/11, ZZ v. Secretary of the State of Home 439 CJEU, C-362/14, Maximillian Schrems v. Data Protection Department, 4 June 2013, paras. 53–54, 57, 61 and 64. Commissioner, 6 October 2015, paras. 23, 95.

61 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

“Moreover, the impugned provisions interfere with […] either to national data protection laws, which do not [Article 8 of the ECHR] rights in so far as they provide for apply, or to derogations enshrined in specific laws. In the destruction of the data obtained and for the refusal the United Kingdom, the Independent Reviewer of Ter- to notify the persons concerned of surveillance measures rorism Legislation recommends that an Independent taken in that this may serve to conceal monitoring meas- Surveillance and Intelligence Commission be created, ures interfering with the applicants’ rights under Article 8 which would be in charge of informing an individual of which have been carried out by the authorities.” an error on the part of a public authority or communica- ECtHR, Weber and Saravia v. Germany, No. 54934/00, 29 June 2006, tion service providers (CSP); and of notifying individuals para. 79 of their right to lodge an application to the Investiga- “However, the fact that persons concerned by secret sur- tory Powers Tribunal, on their own initiative or at the veillance measures are not subsequently notified once suggestion of a public authority or CSP.442 surveillance has ceased cannot by itself warrant the conclusion that the interference was not ‘necessary in Czech law illustrates this approach: the data protection a democratic society’, as it is the very absence of knowl- law is not applicable and the specific laws stipulate that edge of surveillance which ensures the efficacy of the the intelligence service does not have to inform the interference. [A]s soon as notification can be carried out persons whose rights they interfere with, nor do they without jeopardising the purpose of the restriction after have to provide access to the data.443 the termination of the surveillance measure, information should, however, be provided to the persons concerned.” In some Member States, the obligation to inform and/ ECtHR, Weber and Saravia v. Germany, No. 54934/00, 29 June 2006, para. 135 or the right to access are restricted because of rules applicable to classified documents and official secrets. “According to the Court’s case law, the fact that persons In Latvia, the specific law on the intelligence services concerned by such measures are not apprised of them stipulates that information gained by the intelligence while the surveillance is in progress or even after it has services is of restricted access or classified as an offi- ceased cannot by itself warrant the conclusion that the cial secret.444 In Spain, the data protection law does not interference was not justified under the terms of paragraph 2 of Article 8, as it is the very unawareness of the apply to classified documents and the specific laws do surveillance which ensures its efficacy. However, as soon not provide for rules on information and access to the as notification can be made without jeopardising the pur- data. In Ireland, the data protection safeguards do not pose of the surveillance after its termination, information apply to “personal data that in the opinion of the Minis- should be provided to the persons concerned [...].” ter or the Minister for Defence are, or at any time were, ECtHR, Association for European Integration and Human Rights and Ekim- kept for the purpose of safeguarding the security of the dzhiev v. Bulgaria, No. 62540/00, 28 June 2007, para. 91 State”. 445 The restrictions therefore apply even to data kept in the past for this purpose, without for instance, consideration of whether a threat to state security con- The legal frameworks of all EU Member States allow tinues to exist. restrictions on the obligation to information and the right to access on the basis of a threat to national secu- In the other 20 Member States, the obligation to inform rity and/or the intelligence services’ objectives. and right to access are provided for in the law, albeit with restrictions. The conditions vary regarding when Differences are, however, observed as to the conditions the individual must be informed or may exercise the and level of restrictions.440 Some Member States do not right to access, or other qualifying aspects. In the provide for the obligation to inform and the right of majority of these Member States, data protection laws access. Others provide for restrictions on the grounds of alone, or in conjunction with specific laws, constitute an existing threat to national security, yet these restric- the legal basis for the restrictions (Austria, Belgium, tions are not identical. Finally, some Member States Bulgaria, Croatia, Cyprus, Greece, Germany, Finland, balance the restrictions by giving oversight bodies the France, Hungary, Italy, Luxembourg, Malta and Slove- mandate to a) check whether the invoked national secu- nia). In Malta, for instance, the general data protection rity threat justification is reasonable in fact and/or b) to legislation provides that the obligation to inform and the exercise the right to access indirectly, i.e. on individu- right to access are not applicable to necessary meas- als’ behalf.441 ures in the interest of national security, while the specific laws do not further regulate this matter.446 In five The obligation to information and the right to access Member States, specific laws exempt the intelligence are not provided for in eight Member States (the Czech Republic, Ireland, Latvia, Lithuania, Poland, Slova- 442 Anderson, D., Independent Reviewer of Terrorism kia, Spain and the United Kingdom). This is attributable Legislation (2015), p. 303. 443 Czech Republic, Security Information Service Act, Art. 16 (5). 444 Latvia, Investigatory Operations Law, Art. 24 (1). 440 See also UN, GA (2014c), para. 39. 445 Ireland, Data Protection Act, Section 1 (4) (a). 441 See also Venice Commission (2015), pp. 35–36. 446 Malta, Data Protection Act, Section 23.

62 Remedies

services’ activities from the remit of general data pro- notification – and not the intelligence services to provide tection legislation (Denmark, Estonia, the Netherlands, it on their own initiative – did not comply with the right Romania and Sweden). to respect for privacy.452

Independent of whether this is done on the basis of In six Member States, individuals are notified or infor- a general data protection law or in accordance with mation is provided at the end of surveillance, based specific legislation, individuals’ right to access and the on the anticipation that the threat to national security services’ obligation to inform tend to be restricted will exist throughout the surveillance (Bulgaria, Croatia, on the ground that the information would threaten Denmark, Germany, the Netherlands, and Romania). In the objectives of the intelligence services or national Romania, for instance, if the collected data does not security. This restriction applies for the entire period justify a referral to the criminal investigating authori- during which such a threat exists. An assessment of ties and does not justify a continuation of the surveil- the threat should therefore be performed over time to lance, surveillance will stop and the individuals under ensure the restriction is justified. The constitutionality surveillance will be notified as to the surveillance activi- of the provision allowing the general directors of the ties and their duration.453 In Denmark, there is a gen- security services to refuse information requests at their eral obligation to inform the individuals at the end of discretion, on grounds of national security, was chal- surveillance,454 provided the notification would not lenged before the Hungarian Constitutional Court. The jeopardise the investigation and it is not disputed.455 court stated that the general directors may deny the request at their discretion, but only if the fulfilment of In Germany, the restriction of the right to information is the request affects national security interests or the stipulated in Article 10 of the Basic Law, i.e. the constitu- rights of others. The court held that the lower courts tion (Grundgesetz), and in the G 10 Act. As stated by the had misinterpreted the provision and did not attrib- Federal Constitutional Court, the right may be restricted ute enough importance to the grounding of the refus- because of secret surveillance, but the individual shall als.447 The ruling of the Constitutional Court prompted be informed after the threat has disappeared.456 Regard- Act CIX of 2014, modifying the legislation on national ing targeted surveillance, individuals must be informed security services; the new provisions are in effect as about the surveillance measures within 12 months after of 1 February 2015.448 their discontinuation, unless the information would jeopardise the purpose of the surveillance measures In Sweden, the individual shall be notified of signals or harm the interests of the country.457 The same rule intelligence only if the search terms used therein are applies to strategic surveillance; however, the obliga- directly related to him/her, and not if reasons of confi- tion to information is limited to processed data, not to dentiality prevent notification.449 This information shall the data immediately deleted after being deemed irrel- be provided no later than one month after the data was evant for the purposes for which they were captured.458 collected. So far, no individuals have yet been informed, due to secrecy reasons.450 In some Member States, additional conditions are enshrined in the law. In Bulgaria, notification of the In Belgium, a 2010 reform451 initially required inform- individual and the right to access apply only to unlaw- ing individuals, upon their request, five years after the ful surveillance.459 In Croatia, the obligation to inform end of the surveillance. However, in 2011, following the the individual applies only if the individual submits reasoning of Klass and Others v. Germany and Weber a request, thus resulting in the exercise of the right to and Saravia v. Germany, the Belgian Constitutional access.460 In Germany, the right to access information Court declared this provision unconstitutional. Specifi- cally, it held that requiring the data subject to request

447 Hungary, Constitutional Court (Alkotmánybíróság), No. 9/2014 (III. 21.) (9/2014. (III. 21.) AB határozat), 17 March 2014. 448 Hungary, Act CIX of 2014 on the modification of Act CXXV 452 Belgium, Constitutional Court (Cour constitutionnelle), No. of 1995 on the national security services and the 145/2011, 22 September 2011. modification of other Acts related to the national security 453 Romania, Law No. 51/1991 concerning the national security control, 1 February 2015. of Romania, Art. 21 (2). 449 Sweden, Act on Signals Defence Intelligence, Section 11 (a) 454 Denmark, Administration of Justice Act, Art. 788 (1). and (b). 455 Ibid., Art. 788 (4). 450 Sweden, Swedish Data Inspection Board (Datainspektionen) 456 Germany, Federal Constitutional Court (2010), p. 6. (Bundesverfassungsgericht), 1 BvR 2226/94, 14 July 1999, 451 Belgium, Law on the Intelligence and Security Services, Art. paras. 170 and 287. 2, as amended on 4 February 2010, Art. 2 of the Act on the 457 Germany, G 10 Act, Section 12 (1). Special Intelligence Methods used by the Intelligence and 458 Germany, G 10 Act, Section 12 (2). Security Services (Loi relative aux méthodes de recueil des 459 Bulgaria, Special Intelligence Means Act, Art. 34 (g) (3). données par les services de renseignement et de sécurité), 460 Croatia, Act on the Security Intelligence System of the 4 February 2010. Republic of Croatia, Art. 40 (1).

63 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

is dependent on the precise circumstances and on services are not obliged to inform the individuals after whether the individual can prove a special interest.461 the surveillance measures end.469

Two Member States have established timeframes that Ten Member States provide for the involvement of the must be exhausted before the obligation to inform oversight body or a court by scrutinising whether the applies or access rights can be exercised (Croatia and invoked grounds for restricting the rights are reason- the Netherlands). In the Netherlands the duty to notify able or by indirectly exercising the individual’s right the individual came into force in 2007. Accordingly, indi- to access. viduals are notified five years after the NIS have carried out certain special surveillance measures, such as In Austria, the right to access is restricted if access opening letters, intercepting telecommunications taking may threaten the security of the state. The individual place through an automated process, and intercepting may, however, turn to the DPA and request to check non-cable-bound telecommunications.462 However, if the legality of the police authorities’ reply, which in an individual’s personal data are still needed in the cases of a threat to state security does not confirm or investigation, the five-year deadline for notification deny the data processing.470 When the Legal Protec- may be postponed.463 The duty to issue a report is not tion Commissioner determines that the use of personal compulsory if it is reasonably expected that the infor- data has breached an individual’s rights, s/he has the mation will reveal the sources of a service, including duty to inform the individual concerned or, when for those of other countries; seriously damage relations security reasons s/he cannot, to lodge a complaint with with other countries and international organisations; or the DPA.471 reveal a specific application of a method or the identity of collaborators.464 On similar grounds, the right of the In the Netherlands, the Review Committee shall be concerned individual to access their data is provided by informed of the interior minister’s refusal to disclose law.465 In a report on the obligation to inform, the Dutch the information and the grounds for such.472 In 2010, the Review Committee stressed that very often there will Dutch Review Committee assessed the implementation be grounds to cancel notification, as for instance in case of the intelligence service’s notification obligation and of signals intelligence, which involves third countries, noted that between 2007 (date of the entry into force meaning notification may seriously damage relations of this obligation for the services) and 2010, nobody with these countries. It also emphasised that notifica- had been notified. The lack of notification was only in tion may take place after many years, since the activi- exceptional cases based on incorrect grounds, which, ties of the intelligence service can be long-lasting; for however, did not mean that there might not have been example, operations started in 2002 may be considered other valid grounds for the non-notification of the indi- on-going in 2009.466 The Hague District Court has held viduals. The oversight body noted that an active obliga- that, in cases of secret surveillance, there is no absolute tion to notify must be balanced against the complexity duty of notification,467 and safeguarding secrecy pre- of other existing legal safeguards, for instance filing vails. However, the refusal to provide the data must be a complaint based on an allegation of the intelligence justified.468 The individual may also exercise the right to service’s improper conduct or applying for an inspection access their own data indirectly through the DPA on the of personal data processed by the intelligence service.473 basis of the general data protection legislation. The DPA, however, may not give information regarding the exist- In Germany, the G 10 Commission decides for how ence or content of the data, and may solely confirm car- long the information is withheld, unless it unanimously rying out the necessary checks. In Croatia, the individual decides that, even after five years, the information has to request information. In addition, the information would endanger national interests.474 In cases of tar- is restricted during the time a threat to the fulfilment geted surveillance in 2013, of 1,944 persons or institu- of the services’ tasks exists. With regard to national tions regarding which the surveillance measures were security, irrespective of the existence of a threat, the discontinued, 650 were informed. The G 10 Commission

461 Germany, Federal Act on the protection of the Constitution 469 Croatia, Act on the Security Intelligence System of the (Bundesverfassungsschutzgesetz), 20 December 1990, Republic of Croatia, Art. 40 (4). as amended, Section 15; Germany, Act on the Federal 470 Austria, Data Protection Act 2000 Intelligence Service, Section 7. (Datenschutzgesetz 2000 – DSG 2000), BGBl. I. Nr. 165/1999, 462 The Netherlands, Intelligence and Security Services as amended, Section 26 (2) in conjunction with Act 2002, Art. 34. Section 30 (3). 463 Ibid., Arts. 47 and 53. 471 Austria, Police Powers Act, Section 91 (d) (3). A case 464 Ibid., Art. 35 (7). regarding this power is pending before the ECtHR. 465 Ibid., Arts. 47 and 51. See ECtHR, Tretter and Others v. Austria, No. 3599/10, 466 The Netherlands, CTIVD (2010), p. 149. communicated on 6 May 2013. 467 The Netherlands, Hague District Court (Rechtbank Den 472 The Netherlands, Intelligence and Security Services Haag), ECLI:NL:RBDHA:2014:8966, 23 July 2014. Act 2002, Arts. 35 (7), 47, 50 and 55. 468 The Netherlands, Hague District Court (Rechtbank Den 473 The Netherlands, CTIVD (2010), pp. 21–23 and 113 f. Haag), ECLI:NL:RBSGR:2011:BP4872, 16 February 2011. 474 Germany, G 10 Act, Section 12.

64 Remedies

decided to not yet inform 1,079 persons/institutions, and a claim to the Oversight Committee, even while the unanimously agreed 260 would never be informed.475 surveillance is being carried out.481 However, when the In cases of strategic surveillance, the G 10 Commission access request addresses the activities of the Danish dealt with seven cases for information related to ter- Defence Intelligence Service, these rights are granted rorism. In three cases, the commission decided to post- only to Danish and Nordic citizens, foreigners with a res- pone providing the information, in one case to reject idence permit, and asylum seekers who have resided the information indefinitely, and in three cases it took in the country for more than six months. note that the intelligence service (BND) provided the information. In three cases linked to arms proliferation, In Belgium, France, Italy and Luxembourg, individuals the G 10 Commission noted the BND had provided the may exercise the right to access their own data indi- information, and in two cases linked to human traffick- rectly through the DPAs or the competent oversight ing, the G 10 Commission decided to postpone the pro- body (Luxembourg). These bodies implement the nec- vision of information. In three cases related to hostage essary controls to ensure data is processed lawfully. taking, the G 10 Commission decided to postpone the However, the individual is not informed which data are provision of information and took note that, in the third processed if doing so would threaten national secu- case, the BND had already provided it.476 rity. Though a right of indirect access is not granted as such in Portugal and Sweden, the law consequently In Cyprus and Greece, the obligation to inform and the provides for a similar right: an individual may request right to access, as stipulated by the data protection laws, the oversight body to check whether his/her data are may be restricted or lifted by a decision of the DPA on subject to unlawful surveillance.482 The Swedish over- the grounds of national security, upon request of the sight body, the Swedish Defence Intelligence Commis- intelligence services. In Cyprus, for instance, the DPA sion, shall only notify the individual that the check has issued a decision in 2002 lifting the obligation to infor- been carried out, but not whether he or she has been mation with respect to the Central Intelligence Service’s subject to surveillance.483 The same approach is pre- data files.477 In Greece, in addition to the role of the scribed in the French law on intelligence, which does DPA, the specific law on interception of communications not amend the current legal framework on this specific grants the special oversight body for safeguarding the matter.484 In 2014, the French oversight body dealt with secrecy of communications (ADAE) the discretion to 110 complaints (75 in 2013 and 52 in 2012).485 inform the individual once the surveillance measure has ended, provided this does not compromise the purpose Only two of the five Member States authorised to of the investigation, otherwise the information shall conduct signals intelligence distinguish between the be destroyed.478 Since this is not obligatory, the safe- obligation to inform an individual in case of targeted guard relies on the body’s discretion to decide whether surveillance versus their obligation to do so when an the individual shall be informed. The annual activities individual is affected as a result of signals intelligence. reports from the years 2004–2013 do not mention any These provisions focus on the obligation to inform an activity of the oversight body regarding the provision individual regarding data collection that is conducted of information to individuals.479 automatically and according to pre-defined filters. In this phase, the laws provide for the lifting of the obli- In Denmark, there is a general rule to inform the indi- gation to inform. In particular, the obligation to inform vidual at the end of the surveillance measures. If noti- does not apply if a) the search terms are not directly fication would jeopardise the investigation or there are related to the individual (Sweden) or b) the data are other arguments against it, the judiciary may permit immediately deleted after they have been captured withholding – or delaying the provision of – the infor- through use of the selectors (Germany). mation.480 In addition to this basic rule, the specific laws foresee that in extraordinary cases an individual may access, in part or in full, the information by filing

475 Germany, Federal Parliament (Deutscher Bundestag) (2015), p. 6. 481 Denmark, Act No. 602 of 12 June 2013 on the Danish Defence 476 Germany, Federal Parliament (Deutscher Bundestag) (2015), Intelligence Service Service (Lov nr. 602 af 12. juni 2013 om p. 8 f. Forsvarets Efterretningstjeneste (FE)), 12 June 2013, Arts. 9 477 Cyprus, Decision of the Data Protection Authority, and 10. 2 September 2002. 482 Sweden, Act on Signals Defence Intelligence, Section 10 (a); 478 Greece, Act 2225/1994 on the protection of freedom of Portugal, Organic Law 4/2004 of 6th of November correspondence and communications and other provisions, amending the Framework Law of the Information System of Art. 5 (9). the Portuguese Republic (Lei Orgânica No. 4/2004 de 6 de 479 Greece, Authority for Communication Security and Privacy Novembro Altera a Lei Quadro do Sistema de Informações (Αρχή Διασφάλισης του Απορρήτου των Επικοινωνιών), da República Portuguesa), 6 November 2004, Art. 27. Annual reports for the years 2004–2013, www.adae.gr/ 483 Klamberg, M. (2010), p. 128. ektheseeis-pepragmenon/ 484 France, Interior Security Code, Art. L. 833-4. 480 Denmark, Administration of Justice Act, Art. 788 (4). 485 See France, CNCIS (2015a), p. 89 and CNCIS (2015b), p. 97.

65 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

3.2. Judicial remedies In France and Germany, the highest administrative court is competent.490 Courts provide an avenue for individuals to complain about interference with their privacy and to seek When national laws provide DPAs with powers over a remedy, including in the area of surveillance. How- the activities of intelligence services, depending on the ever, several obstacles stand in place for an individual issue at stake, the DPA may need to be approached complaining about signals intelligence: the courts’ lack before the courts,491 which will then act as appellate of specialisation; general procedural obstacles, such as bodies tasked with reviewing the decisions of an admin- costs, delays or complexity; and a lack of concrete evi- istrative body. dence and a high burden of proof for establishing the veracity of evidence, or possible invocation of state In Schrems v Data Protection Commissioner, 492 for secrecy privilege, including ‘neither confirm nor deny’ example, the plaintiff complained to the Irish Data stances. These major obstacles can, in some cases, Protection Commissioner that the disclosures made by be mitigated in systems with specialised tribunals/ Edward Snowden demonstrated there was no effective courts, where judges possess the knowledge neces- data protection regime in the United States. The plaintiff sary to decide on often technical matters and are also requested the Data Protection Commissioner to exercise allowed to access secret material. Other elements that his statutory powers to order a cease to the transfer of can facilitate an individual’s access to remedies include personal data from Facebook Ireland to its parent com- more relaxed standing proof rules, class actions and pany in the United States. The Data Protection Commis- effective protection of whistleblowers. The Parliamen- sioner refused to investigate the claim, and maintained tary Assembly of the Council of Europe has stated that that he was bound by the European Commission’s Deci- whistleblowing is “the most effective tool for enforc- sion on Safe Harbour principles of July 2000,493 which ing the limits placed on surveillance”.486 The Com- provides the legal basis for the transfer of personal data mittee of Ministers of the Council of Europe adopted from EU to American companies, and that the data pro- a Recommendation on the protection of whistleblow- tection regime in the United States was adequate and ers, encouraging Member States to set up a protective effective as long as companies that process the data or legal framework.487 The European Parliament called on transfer data to the United States self-certify that they Member States to grant whistleblowers international comply with the principles set down in Safe Harbour. protection from prosecution.488 Indeed, in the specific The applicant challenged the lawfulness of the Data context of signals intelligence, in particular where the Protection Commissioner’s refusal. The High Court then information is not provided to an individual and access referred the case to the CJEU. The CJEU held that DPAs cannot be obtained through oversight bodies, inde- are not prevented from investigating a complaint and, pendent journalists and whistleblowers play an essen- in case of doubts as to the validity of a legislative act, tial ‘intermediary’ role in facilitating access to remedies. from bringing the case before national courts, which The Snowden revelations provide a good example of may make a reference to the CJEU for a preliminary this since they led to both national and international ruling to examine its validity.494 litigation.489 As past FRA research on access to data protection rem- 3.2.1. Lack of specialisation edies shows, however, ordinary courts’ lack of exper- and procedural obstacles tise in the area of data protection was one of the major obstacles to effectively remedying data protection Every Member State gives individuals the possibility to violations.495 complain about privacy violations via the courts, regardless of whether or not these have occurred because of This finding is certainly of relevance in the area of sur- targeted or signals intelligence. veillance, where the highly technical nature of intelligence matters requires relevant expertise on the part National laws may determine which of the ordinary of the judge. From the perspective of a complainant, courts are competent to review surveillance complaints. judicial lack of expertise in dealing with intelligence

490 France, Interior Security Code, Art. L. 801–1; Germany, Code of Administrative Court Procedure, (Verwaltungsgerichtsordnung), 21 January 1960, as 486 PACE, Committee on Legal Affairs and Human amended, Section 50 (1) (d). Rights (2015b), p. 31. 491 FRA (2014c), Section 5.3. 487 PACE, Committee on Legal Affairs and Human 492 Ireland, High Court, Schrems v. Data Protection Rights (2015a). Commissioner, [2014] IEHC 310, 18 June 2014. 488 European Parliament (2014). 493 European Commission (2000). 489 See also the concept of ‘insider’ complaints in 494 CJEU, C-362/14, Maximillian Schrems v. Data Protection Forcese, C. (2012), p. 182. See also PACE, Committee on Commissioner, 6 October 2015, para. 65–66. Legal Affairs and Human Rights (2015a). 495 FRA (2014c).

66 Remedies

services may lead a judge to defer to the national intel- the ground that the individual is not informed when the ligence services and their claim that national security data collected through the search terms are immedi- and other special circumstances apply.496 ately deleted.

Furthermore, for individuals to obtain adequate redress In this context and in light of existing ECtHR jurispru- for a suffered harm, they must usually bring sufficient dence on victim status, the possibility to challenge the evidence of unlawful surveillance. In the context of tar- constitutionality of the mere existence of legislation geted or signals intelligence, individuals often do not permitting secret measures, without having to allege have the fully-fledged right to be notified that they have that such measures were in fact applied to an individual, been the subject of surveillance measures and/or to is an important safeguard.501 have access to such data. There is often no information provided in practice. In the United Kingdom, for instance, there is a well-established policy of ‘neither confirm nor ECtHR case law: interference and victim’s deny’ responses to questions about sensitive matters status of national security. Individuals have therefore little “The Court further notes that the applicants, even though opportunity to submit concrete evidence, which often they were members of a group of persons who were makes the courts (but in some cases also non-judicial likely to be affected by measures of interception, were bodies) inaccessible avenues in practice.497 The Council unable to demonstrate that the impugned measures had of Europe Commissioner for Human Rights stated that actually been applied to them. It reiterates, however, its “such modifications to proceedings can make it diffi- findings in comparable cases to the effect that the mere cult or impossible to have a fair trial”.498 The Irish High existence of legislation which allows a system for the Court acknowledged the inability to provide evidence secret monitoring of communications entails a threat of in such situations.499 surveillance for all those to whom the legislation may be applied. This threat necessarily strikes at freedom of communication between users of the telecommunica- A judgment of the Federal Administrative Court in Ger- tions services and thereby amounts in itself to an inter- many illustrates the difficulties individuals face when ference with the exercise of the applicants’ rights under confronted with strict procedural rules on providing con- Article 8 [of the ECHR], irrespective of any measures ac- crete evidence to prove their victim status.500 In this tually taken against them.” case, a complaint was lodged against strategic surveil- ECtHR, Weber and Saravia v. Germany, No. 54934/00, 29 June 2006, para. 78 lance of communications under Section 5 of the G 10 Act by the Federal Intelligence Service (BND), after it was reported that 37 million communications were caught The applicants in what became known as the Weber in 2010 by the dragnet search, mostly emails, of which and Savaria case complained about the expansion of the only 12 were considered ‘relevant’. The complainant Federal Intelligence Service’s (BND) powers of strate- argued that it was very likely that he was affected by gic telecommunications surveillance. The German Con- the dragnet search because of his frequent interna- stitutional Court ruled that the legal provisions on the tional email communications as a professional lawyer competences of the BND regarding surveillance for the with contacts abroad; hence, he requested a statement purposes of pre-empting money laundering, the use that the BND acted in a disproportionate manner and of obtained data, the transfer of data to other author- violated his right to privacy of communications. The ities and on the limited obligation to notify affected Federal Administrative Court, however, held that the persons, were not compatible with the German Basic complaint was inadmissible since complaints against Law. The court also demanded stronger oversight by strategic surveillance of telecommunications under the the G 10 Commission.502 Because of this judgment, the relevant domestic law were only admissible if it was law was substantially revised in June 2001.503 The court evident that the complainants had been affected. The applied similar rules to the burden of proof as the ECtHR. court added that the right to an effective remedy does not mean that the burden of proof must be eased on In addition to these specific procedural obstacles, and the fact that individuals often simply do not know they are a target of or encompassed by surveillance, 496 Forcese, C. (2012), p. 186. going to court often exposes individuals to lengthy, 497 See FRA (2014c). 504 498 Council of Europe Commissioner for Human Rights (2015), time‑consuming, complicated and costly procedures. p. 27. 499 Ireland, High Court, Schrems v. Data Protection Commissioner, [2014] IEHC 310, 18 June 2014, para. 42. 501 ECtHR, Weber and Saravia v. Germany, No. 54934/00, See also CJEU, C-362/14, Maximillian Schrems v. Data 29 June 2006; ECtHR, Klass and Others v. Germany, Protection Commissioner, Advocate General’s Opinion, No. 5029/71, 6 September 1978, para. 34. 23 September 2015. 502 Germany, Federal Constitutional Court 500 Germany, Federal Administrative Court (Bundesverfassungsgericht), 1 BvR 2226/94, 14 July 1999. (Bundesverwaltungsgericht), BVerwG 6 CN 1.13, 503 Germany, G 10 Act. 28 May 2014. 504 FRA (2011); FRA (2014c).

67 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

This is why individuals may prefer to access justice via non-judicial avenues505 or through intermediaries, such CJEU case law: national security and due as relevant civil society organisations. The latter may process play a vital role in taking such complaints to court when “[I]f, in exceptional cases, a national authority opposes class actions are allowed,506 as well as in bringing cases precise and full disclosure to the person concerned of the of a more general nature requesting access to specific grounds which constitute the basis of a decision […], by information on the activities and investigative methods invoking reasons of State security, the court with juris- of intelligence authorities to contribute to greater trans- diction in the Member State concerned must have at its parency and accountability in this area.507 However, civil disposal and apply techniques and rules of procedural law society organisations often lack adequate resources, which accommodate, on the one hand, legitimate State and few are able to offer comprehensive services to security considerations regarding the nature and sources victims of data protection violations.508 of the information taken into account in the adoption of such a decision and, on the other hand, the need to ensure 3.2.2. Specialised judges and sufficient compliance with the person’s procedural rights, such as the right to be heard and the adversarial principle.” quasi‑judicial tribunals CJ EU, C-300/11, ZZ v. Secretary of the State of Home Department, 4 June 2013, para. 57 Two Member States decided to introduce a system of specialised judges or courts to deal with cases in the area of surveillance. Furthermore, although not courts In Ireland, a complaint can be made to the Complaints as such, specific quasi-judicial mechanisms in Germany Referee, a judge of the Circuit Court nominated to hold and Belgium are analysed in this section. Their role, this specialised position. The referee may investigate composition and powers make them resemble courts, whether there has been a contravention of the relevant which makes them distinct from other non-judicial provisions of the Act on interception of communica- bodies analysed in Section 3.3. A clear advantage of tions.511 If a complaint is upheld, the Complaints Ref- these specialised courts and bodies is, among others, eree will quash the interception, report the matter to their expertise in the area of surveillance, which is not the Taoiseach (prime minister) and recommend a com- necessarily the case of ordinary courts. pensatory payment. To date, this has not occurred. In parallel, a civil action for damages for breach of privacy National practices of appointing a specialised judge to protected by the constitution can also be taken in the adjudicate these matters (Ireland) or establishing spe- High Court. 512 cialised tribunals to hear complaints about unlawful surveillance by intelligence authorities (United King- In the United Kingdom, the Investigatory Powers Tri- dom) can be seen as contributing to the development bunal (IPT), although not strictly speaking a court, of judicial expertise in the area. Such systems can also was established to deal with individuals’ complaints facilitate different arrangements on judicial access to against surveillance. The ECtHR not only confirmed that classified or top-secret information.509 Indeed, in some the procedure before the IPT, including existing proce- jurisdictions, civil or administrative courts may be dural restrictions imposed by the law on such proce- empowered to award damages, but in practice, suits dure, taken as a whole, satisfied the requirements of in the general courts are made difficult by intelligence Article 6 (right to a fair trial) and 13 of the ECHR,513 but services’ claims of secrecy due to national security.510 also highlighted the positive aspects of the British system.514 The IPT is composed of specialised counsels (the president and vice president must both hold or have held senior judicial posts).515 It has the exclusive jurisdiction to hear claims relating to interception and the conduct of the intelligence agencies. The IPT, however, rarely publishes its decisions or holds public hearings. At the same time, the IPT’s powers are strictly limited to assessing whether legislation has been complied with and authorities have acted ‘reasonably’. The IPT has

505 FRA (2014c). 506 Poland, Administrative Court in Warsaw (Wojewódzki 511 Ireland, Interception of Postal Packets and Sąd Administracyjny w Warszawie), Helsinki Foundation Telecommunications Messages (Regulation) Act. for Human Rights v. ABW, II SA/Wa 710/14, 24 June 2014, 512 Ireland, Supreme Court, McGee v. Attorney General, pending appeal to the Supreme Administrative Court. [1974] I.R. 284, 19 December 1973. 507 Poland, Helsinki Foundation for Human Rights (2015). 513 ECtHR, Kennedy v. UK, No. 26839/05, 18 May 2010. 508 FRA (2014c). 514 ECtHR, Telegraaf Media Nederland Landelijke Media B.V. and 509 Chesterman, S. (2011), p. 218. Others v. the Netherlands, No. 39315/06, 22 November 2012, 510 See Forcese, C. (2012), p. 186; Bigo, D. et al., Policy para. 98. Department C: Citizens’ Rights and Constitutional 515 United Kingdom, Regulation of Investigatory Powers Act Affairs (2014). 2000, Sections 65–70.

68 Remedies

only ruled against the intelligence and security services tionality of its use. The court also ruled on the legality twice: in Liberty, Privacy International, Bytes for All and of the British intelligence services receiving data from Amnesty vs. UK; and Belhaj vs. Straw. The Independ- countries such as the United States, based on communi- ent Reviewer of Terrorism Legislation recommended cations intercepted by using programmes such as Prism that the IPT should have its jurisdiction expanded, that or Upstream. The IPT concluded that the claims were it be given the power to make declarations of incom- unfounded, based on its finding that there are “suffi- patibility, and that its rulings be subject to appeal on cient safeguards in place” that afford individuals suita- points of law.516 ble protection. The decision was based on the disclosure of previously secret policies revealed by the security It has been the long-standing policy of the United King- and intelligence services during the trial. As a result, in dom government to give a ‘neither confirm nor deny’ its second judgment, the IPT found that GCHQ’s access (NCND) response to questions about matters sensitive to the data shared by the NSA was unlawful before to national security. The IPT recognised the legitimate December 2014, because the policies that govern it purpose and value of such a response in several cases. It were secret before then, and that during that time it held that “the NCND policy is needed to help to preserve had therefore violated Articles 8 and 10 of the ECHR.521 secrecy”, and that it does not interfere with the right to Privacy International and co-claimant Bytes For All plan privacy in cases where there is no relevant information to contest the first ruling before the European Court of held on the complainant.517 In 2010 for example, 30 % Human Rights.522 of the 164 complaints received by the IPT were directed against security and intelligence services. The remain- In Belgium, the Standing Committee I has a dual func- ing complaints were directed against other types of tion. In its judicial function, its powers are similar to public authorities that fall under the mandate of the IPT, those of the United Kingdom’s IPT. It investigates com- such as law enforcement agencies (32 %); local authori- plaints and rules on the legality of intelligence meas- ties (10 %); and other public authorities, such as the ures, and can order their cessation when an individual Department for Work and Pensions (28 %). There are has been directly affected by specific or exceptional no specific statistics available in the IPT’s annual report methods of data collecting. The concept of specific as to how many of the complaints directed against an and exceptional methods covers all the intelligence intelligence agency were actually upheld in 2010. Gen- operations relevant to this report.523 Specific methods eral statistics on the outcomes of 2010 complaints indi- include, among others, the inspection of identification cate, however, that the IPT upheld the complaint and data, localisation and call-associated data of electronic ruled in favour of the complainant in six of 210 cases communications and requesting the cooperation of an (which covers all complaints resolved by the IPT in 2010, operator, or direct access to data files.524 Penetrating including those carried over from previous years).518 an IT system is listed among exceptional methods.525

Following the Snowden revelations, various NGOs The German G 10 Commission also functions, in addi- brought a complaint before the IPT in 2014. The claim- tion to general courts, as a quasi-judicial institution, ants alleged that the use of the Tempora programme519 whose decisions are binding on the intelligence ser- is unlawful, as is the subsequent disclosure and receipt vices and the government. The G 10 Commission is not of intercepted material to and from the NSA. The IPT only involved in the ex ante approval of surveillance issued two partial rulings on the matter. In its first orders, but also investigates the legality and necessity judgment, the tribunal found Tempora’s actions legal of applied intelligence measures on its own initiative in principle. 520 However, since the intelligence services or upon an individual complaint.526 adhered to their policy of ‘neither confirm nor deny’, the tribunal was only able to assess whether the legal framework would allow GCHQ to solicit, receive, store and transmit private communications of individuals located outside the United Kingdom on the basis of an agreed case. The tribunal did not assess the propor-

521 United Kingdom, Investigatory Powers Tribunal, Liberty & 516 Anderson, D., Independent Reviewer of Terrorism Others v. the Security Service, SIS, GCHQ, IPT/13/77/H, 6 Legislation (2015), p. 305. February 2015. 517 United Kingdom, IPT (2004). 522 See: https://www.privacyinternational.org/?q=node/555. 518 United Kingdom, IPT (2010). See also ECtHR, Bureau of investigative journalism and Alice 519 This includes the upstream surveillance activity by which Ross v. the United Kingdom, No. 62322/14, communicated the British intelligence services, including GCHQ, intercept on 5 January 2015. large fibre optic cables that carry huge amounts of internet 523 Belgium, Standing Committee I (2015), p. 71 and following. users’ private communications. FRA (2014a). 524 Belgium, Act on the Special Intelligence Methods used by 520 United Kingdom, Investigatory Powers Tribunal, Liberty the Intelligence and Security Services, Art. 18 (1). & Others v. the Security Service, SIS, GCHQ, IPT/13/77/H, 525 Ibid., Art. 18 (2). 5 December 2014. 526 Germany, G 10 Act, Section 15.

69 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

3.3. Non-judicial remedies: Finally, in all EU-28 there are general ombudsperson institutions empowered to provide remedies. However, independence, mandate these are often only in the form of a non-binding rec- and powers ommendation in cases of maladministration by a public authority, for instance. Moreover, just as with some As stated above, in addition to courts (ordinary and DPAs, their mandate may explicitly exclude the issue of specialised) and the two specific quasi-judicial institu- national security or the actions of national intelligence tions in Germany and Belgium, there are other non- authorities. This is true of the United Kingdom Parlia- judicial bodies with a human rights remit that deal with mentary Commissioner for Administration, for exam- violations of the right to protection of personal data, ple.528 Considerably more relaxed rules on legal standing and that have an essential role in facilitating access to are a main advantage of turning to ombudsperson insti- justice. These include national data protection authori- tutions, permitting individuals to bring more generic ties (DPAs) and ombudsperson institutions. In the area complaints against the intelligence services.529 In the of strategic surveillance, some countries also give over- Netherlands, for instance, everyone has the right to sight bodies the power to provide remedies – which can complain to the ombudsman about the activities or be of parliamentary, executive or expert nature – to alleged activities of the ministers, the heads of the individuals. The extent to which these bodies can pro- intelligence services, the coordinator and the persons vide an effective remedy, however, depends on their employed by the intelligence services. The complain- independence and other factors, such as specialised ant must first apply to the responsible minister before knowledge (or lack thereof), and the power to not only filing his/her complaint to the ombudsman.530 The inde- access materials and investigate the issues at stake, pendence of ombudsperson institutions and their direct but also to issue binding decisions as opposed to non- accountability to the parliament in most of the 28 EU binding recommendations. Member States is also beneficial. But this must be seen in the wider context of their remedial powers, which 3.3.1. Types of non-judicial bodies can be quite limited, as the section on powers and specialisation of non-judicial bodies shows. Non-judicial options are usually more accessible for individuals than judicial mechanisms because proce- 3.3.2. The issue of independence dural rules are less strict, bringing complaints is less costly and proceedings are faster. This was confirmed The validity of non-judicial dispute mechanisms can by previous FRA evidence, in particular the access to only be accepted if they themselves conform to gen- data protection remedies, where more complaints tend eral requirements of fairness, including impartiality to be lodged with national DPAs, and few complainants and independence from the intelligence services and go through judicial procedures. At the same time, how- the executive. The latter includes a stable mandate ever, the number of non‑judicial bodies reported oper- expressed through appointment and dismissal condi- ating in the area of data protection other than DPAs is tions. In the case of an executive oversight body with small, and many non‑judicial bodies only have limited remedial powers, for example, the question of inde- powers to offer remedies.527 pendence arises when it also has the power to warrant surveillance. On the other hand, parliamentary or This research confirms an additional problem with the expert oversight bodies may have more autonomous scope of the DPAs’ mandate. Compared to other fields of administrative structures. But autonomy alone does not data processing activities and other data controllers in guarantee the effectiveness of a remedy – sufficient the public and private sectors, DPAs’ powers over intel- knowledge is also crucial. Furthermore, how members ligence services, including their remedial role, are weak. of oversight bodies are appointed, and their place in the administrative hierarchy, are also important aspects to As for the remedial role of oversight bodies, the par- consider when assessing a body’s independence. liamentary committees of several EU Member States, namely Croatia, Hungary, Lithuania and Romania, also While some aspects of independence need to be function as complaints-handling bodies. Oversight enshrined in the law, others can be re-affirmed in a code bodies other than parliamentary committees, such as of ethics at an institutional level. In September 2014, those entailing executive and expert oversight (other than DPAs), may also provide remedies, as is the case in Belgium, Croatia, Germany, Denmark, Hungary, Malta, 528 United Kingdom, Parliamentary Commissioner Act 1967, 22 March 1967, Section 5. the Netherlands, Portugal and Sweden. 529 Forcese, C. (2012), p. 184. 530 The Netherlands, Intelligence and Security Services Act 2002, Art. 83 (1) in conjunction with The Netherlands, General Administrative Law Act (Algemene Wet Bestuursrecht), 4 June 1992, Art. 9 (1) (3). See also The 527 FRA (2014c), p. 7. Netherlands, CTIVD (2014), p. 27.

70 Remedies

for instance, the French oversight expert body adopted agencies. Malta and Sweden, where the remedial func- such a code, spelling out the various criteria that must tion of expert bodies is subject to executive control, serve be met to secure independence.531 The French Law on as examples of systems where the controllers and the intelligence spelled out specific ethical rules, including controlled agencies might not be sufficiently separated. on CNCTR members’ independence, specifying that they should not receive any instructions from any authority, In Malta, the prime minister appoints the Commis- and that members should not have incompatible man- sioner of the Security Service, who is, at the same time, dates, links to the intelligence services, or perform any responsible for reviewing the legality of the warrants other professions or elective mandates.532 the prime minister issues. Additionally, the prime minister also appoints the head of the security services. The In the context of remedial infrastructure in the area entire system is therefore dependent on one authority. of surveillance (see Figure 5), independence can be The commissioner is accountable solely to the prime an issue with oversight bodies that have remedial minister, and cannot communicate with the media or powers. Some cases show that they are susceptible to be summoned to court. Moreover, decisions of the com- conflicts of interest, which may prompt doubts about missioner cannot be subject to appeal, nor may they be their impartiality and independence. 533 This does not questioned before a court. This goes against the well- include DPAs, whose independence in the context of established standards requiring decisions of non-judi- providing remedies in the area of data protection in cial dispute mechanisms to be supervised by a judicial general was assessed in prior FRA studies.534 body. The 1996 Security Service Act also curtails the commissioner’s ability to bring a problem to the pub- Executive oversight bodies with remedial powers may lic’s attention by directing him/her to only report to the have their independence questioned if they also pos- prime minister.536 Similarly in Sweden, seven members sess the power to warrant surveillance.535 In Hungary, of the Swedish Defence Intelligence Commission are for example, oversight and complaints-handling func- appointed by the government and its chair and vice tions are both performed by one executive oversight chair must be or have been judges. The government has institution: government and its different ministries. full discretion to appoint the chair and vice chair, while the parliament nominates the remaining members.537

UN good practices on effective remedy Determining the optimal distance between the con- Practice 10. The institutions responsible for addressing trolled and the controllers is complex, since provid- complaints and claims for effective remedy arising from ing up-to-date expertise requires oversight bodies the activities of intelligence services are independent of to work side by side with the intelligence agencies. the intelligence services and the political executive […]. Therefore, while ties that are too close may lead to UN, Human Rights Council, Scheinin, M. (2010) a conflict of interest, too much separation might result in oversight bodies that, while independent, are very poorly informed. Chesterman describes the flipside of Many parliamentary and expert oversight bodies independence: “The advantages of review are that it (excluding DPAs) are by law structurally and formally is normally conducted by an independent body, and capable of independent oversight. FRA data shows typically results in a public finding. These are also the that the administrative structures of parliamentary and disadvantages. Independence can mean unfamiliarity expert bodies are granted more autonomy than execu- with the agency being examined, leading to practical tive oversight bodies with remedial powers. Autonomy and political problems such as access to information or alone does not guarantee unbiased and strong over- sensitivity to context”.538 Other relevant considerations sight, however; it must be supported by various factors, are the term for which the members and the head of including sufficient knowledge. oversight bodies are appointed, and the dismissal rules.

The appointment of expert oversight bodies and their Expert bodies such as the Belgian Standing Committee I, place in the administrative hierarchy are important the Danish Oversight Committee, the Croatian Council aspects to consider when assessing a body’s independ- for Civic Oversight of Security and Intelligence Agen- ence. The authority that appoints members or the gov- cies, and the Portuguese Council for the Oversight of erning structure of oversight and remedial bodies should the Intelligence System of the Portuguese Republic, not control and supervise the work of the intelligence are appointed for a fixed tenure, and their members enjoy personal and functional independence. Forcese 531 France, CNCIS (2015a), p. 65 and following. suggests an expert body be staffed by persons of 532 France, Interior Security Code, Art. L. 832–1 and Art. L. 832–2. 533 Forcese, C. (2012). 536 Malta, Security Service Act, Section 12. 534 FRA (2014d); FRA (2012). 537 Sweden, Act on Signals Defence Intelligence, Section 10. 535 Born, H. and Leigh, I. (2005), p. 68. 538 Chesterman, S. (2011), p. 313.

71 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

diverse backgrounds, but with a minimum quota having The UN Office of the High Commissioner for Human legal training.539 Rights points out: “[F]or remedies to be effective, they must be capable of ending ongoing violations, for The composition of parliamentary oversight commit- example, through ordering deletion of data or other tees in Hungary, Croatia, Italy, Lithuania and Romania, reparation. [S]uch remedial bodies much have [t]he although independent from the intelligence services capacity to issue binding orders.”544 and the executive, is based on the current composition of the parliament, and less on expertise. In some cases this shortcoming in expertise is compensated by the ECtHR case law: lack of effective remedy opportunity to hire external advisers, such as in Hun- “Turning to the present case, the Court observes that gary.540 Still, according to some, “[C]omplaints handling the Parliamentary Ombudsperson and the Chancellor of may require close scrutiny of minutiae, rules of proce- Justice have competence to receive individual complaints dural fairness, and evidentiary considerations relating and have a duty to investigate them to ensure that the to, for example, the credibility of witnesses, which are relevant laws have been properly applied. By tradition, better handled in a more quasi-judicial environment”,541 their opinions command great respect in Swedish society and are usually followed. However, [...], the Court found such as the United Kingdom’s Investigatory Powers Tri- that the main weakness in the control afforded by these bunal (IPT). As for parliamentary oversight bodies with officials is that, apart from their competence to institute remedial powers in particular, according to the Venice criminal proceedings and disciplinary proceedings, they Commission, “The constitutional principle of separation lack the power to render a legally binding decision. In ad- of powers can make it problematic for a parliamentary dition, they exercise general supervision and do not have body to play such a quasi-judicial role”.542 specific responsibility for inquiries into secret surveillance or into the entry and storage of information on the Secu- 3.3.3. Powers and specialisation of rity [Service] register. As it transpires […], the Court found non‑judicial remedial bodies neither remedy, when considered on its own, to be effective within the meaning of Article 13 of the Convention.” Any non-judicial entity tasked with providing a remedy ECtHR, Segerstedt-Wiberg and Others v. Sweden, No. 62332/00, must have the power to conduct a thorough review of 6 June 2006, para. 118 the case, which includes having access to all relevant materials and having the power to grant a binding rem- Figure 6 shows which of the different oversight bodies edy.543 Although this section focuses on the powers of (including DPAs) have the power to hear complaints non-judicial remedial bodies, the question of speciali- in different Member States. In some, more than one sation of such bodies – which represent a challenge in type of oversight body is mandated to hear individual case of ordinary courts – is also briefly touched upon. complaints. But, as indicated in the explanatory notes, not all of these bodies have the power to issue binding decisions regarding these complaints. Additionally, UN good practices on effective remedy and several EU Member States have oversight bodies with data protection no remedial powers. These include the Czech Republic, Practice 10. The institutions responsible for addressing Estonia, Latvia, Luxembourg, Poland, Slovakia, Spain complaints and claims for effective remedy arising from and the United Kingdom. Furthermore, the below cat- the activities of intelligence services […] have full and un- egorisation is made on the basis of relevant provisions hindered access to all relevant information, the necessary of surveillance laws, and is therefore not an assessment resources and expertise to conduct investigations, and of their practical implementation. the capacity to issue binding orders. Practice 25. An independent institution exists to oversee As Figure 6 shows, only the Romanian parliamentary the use of personal data by intelligence services. This in- committee has the power to receive complaints and stitution has access to all files held by the intelligence ser- issue binding decisions. The extent to which this avenue vices and has the power to order the disclosure of infor- can provide an effective remedy also depends on mation to individuals concerned, as well as the destruction whether members of parliament who belong to these of files or personal information contained therein. special parliamentary committees have experience in UN, Human Rights Council, Scheinin, M. (2010) the field of intelligence and qualified supporting staff.

Among the independent expert bodies (excluding DPAs), the German G 10 Commission and the Danish 539 Forcese, C. (2012), pp. 188–189. 540 Hungary, homepage of the Parliamentary Committee Oversight Committee are among those that have the on National Security, www.parlament.hu/web/ power to receive complaints and issue binding deci- nemzetbiztonsagi-bizottsag. sions. The G 10 Commission is competent to handle 541 Forcese, C. (2012), p. 190. 542 Venice Commission (2015), p. 32. 543 UN, Human Rights Council, Emmerson, B. (2014), para. 61. 544 UN, OHCHR (2014), para. 41.

72 Remedies

Figure 6: Types of national oversight bodies with powers to hear individual complaints in the context of surveillance, by EU Member State

AT IT NL EL CY FI BG SI Executive DPAs1 IE bodies FR HU DE SE HR BE LT DK RO Parliamentary PT MT bodies3 Expert bodies2

Notes: 1. The following should be noted regarding national data protection authorities: In Germany, the DPA may issue binding decisions only in cases that do not fall within the competence of the G 10 Commission. As for ‘open-sky data’, its competence in general, including its remedial power, is the subject of on-going discussions, including those of the NSA Committee of Inquiry of the German Federal Parliament 2. The following should be noted regarding national expert oversight bodies: In Croatia and Portugal, the expert bodies have the power to review individual complaints, but do not issue binding decisions. In France, the National Commission of Control of the Intelligence Techniques (CNCTR) also only adopts non-binding opinions. However, the CNCTR can bring the case to the Council of State upon a refusal to follow its opinion. In Belgium, there are two expert bodies, but only Standing Committee I can review individual complaints and issue non-binding decisions. In Malta, the Commissioner for the Security Services is appointed by, and accountable only to, the prime minister. Its decisions cannot be appealed. In Sweden, seven members of the Swedish Defence Intelligence Commission are appointed by the government, and its chair and vice chair must be or have been judges. The remaining members are nominated by parliament. 3. The following should be noted regarding national parliamentary oversight bodies: only the decisions of the parliamentary body in Romania are of a binding nature. Source: FRA (2015)

complaints regarding both targeted and strategic sur- improve the efficiency of the intelligence services. veillance. In 2013, the G 10 Commission received 21 com- Some of Standing Committee I’s conclusions have trig- plaints linked to targeted surveillance, but found no gered legislative reforms or changes in management. violation of the right to privacy (Article 10 of the con- The complaints and denunciations follow neither strict stitution). The commission noted that one case related rules of procedure nor formalities. The Standing Com- to strategic surveillance was pending before the Federal mittee I receives an average of 15 complaints and Administrative Court.545 denunciations per year, and three in four are rejected.547

The Belgian Standing Committee I has the same powers The Standing Committee I’s annual report describes in when reviewing the legality of specific and exceptional detail the five inquiries initiated by individuals that were methods, and also receives complaints regarding, or concluded in 2014, and mentions those still pending. denunciations of, the functioning, actions, conduct or That same year, the Belgian oversight body received failure to act of the intelligence services. In the former 31 complaints. 28 were rejected because they were ill- case, its decisions are binding, while in the latter, it founded or the Standing Committee I found that it was produces non-binding opinions or recommendations not competent.548 The Snowden revelations triggered to the competent authorities.546 Its role is not aimed four investigations by the Standing Committee I. One at compensating the victim. This can be done before of them was founded on a complaint by the president a judge. It provides moral compensation to the indi- of the Brussels Bar, who wanted to understand how vidual, and a useful basis for a judicial claim. The role mass surveillance data could be used in the context of of the oversight body in the case of complaints is to criminal proceedings.549 The Standing Committee I must uphold constitutional rights and the law. Denunciations inform individuals about their investigations’ results. are aimed at, but not limited to, whistleblowers wish- According to one Standing Committee I member, the ing to complain about their own administration. When investigation reports always take into account the dealing with these, the Standing Committee I tries to

545 Germany, Federal Parliament (Deutscher 547 Ibid., p. 258. Bundestag) (2015), p. 6 and following. 548 Belgium, Standing Committee I (2015), p. 7 and following. 546 Vande, G. W. (2013), p. 255. 549 Ibid., p. 40–45.

73 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

necessary confidentiality of the intelligence services’ bodies have access to classified information, records operations and the need for transparency.550 and the premises of the intelligence services.555

The Dutch Review Committee (CTIVD) acts as an “inde- In addition to the supervisory role, the DPAs of 13 pendent complaints advisory committee”551 in the sense Member States have the power to hear complaints that individuals cannot complain directly to the CTIVD. and issue binding decisions on personal data process- They must first complain to the responsible minister, ing by intelligence services. In three Member States, who then transmits the complaint to the Review Com- however, the power to access files and premises is lim- mittee. After its investigation, it provides the respon- ited. In particular, these investigatory powers are lim- sible minister with an advisory opinion on the matter. ited in France, Germany and Ireland, if national/state It is up to the minister to take the final decision, but, security would be threatened or the files are processed if the minister disagrees with the Review Committee’s for the purpose of safeguarding state security (Ire- conclusions, the advisory opinion is sent to the com- land). In five Member States, access is accompanied plainant. In its annual report covering the period from by enhanced requirements, e.g. the presence of the April 2013 to March 2014, the CTIVD mentioned the 20 DPA head (Cyprus, Germany, Greece) or a member of complaints handled during that period. Five of them the DPA who has been a member of the Council of State, were either partially or fully well-founded. In one of the Court of Cassation or the Court of Auditors (France), the latter cases, the responsible minister negotiated the or an officer duly authorised in writing (Germany). allocation of damages with the complainant. The minister followed the committee’s opinion in all 20 cases.552 In addition, as shown in the FRA report on Access to The annual report covering the period 2014–2015 refers data protection remedies and in current findings, when to 10 complaints, of which four were partially or fully data protection violations are caused by a public entity, well-founded.553 In the context of some of these com- individuals can seek remedies both via DPAs and via plaints, the CTIVD raises the issue of secrecy surround- ombudsperson institutions across the EU-28, including in ing the facts included in the CTIVD’s opinion; in such Austria, Belgium, the Czech Republic, Finland, Hungary, cases, the minister decides which information may be Italy, Portugal, Lithuania, the Netherlands, Slovenia and provided to the individual. CTIVD stated it would favour Sweden.556 However, given their lack of specialisation declassifying information contributing to better under- in data protection issues, they are often not able to standing of the working methods of the services, and provide individuals with expert advice.557 Furthermore, in particular cases suggested declassifying the infor- they usually deal with administrative failures rather mation. In some of the cases, the responsible minister than with the actual merits of surveillance, making the did not follow the Review Committee’s suggestions.554 complainant’s own participation in the process much weaker than in courts.558 A clear exception to this is the In Hungary the remedial function is also attributed to Dutch ombudsperson institution, which has this role the executive oversight body, since the responsible directly enshrined in the intelligence law. The powers ministers (Interior or Defence) are also responsible for of ombudsperson institutions can be quite limited, and handling individual complaints. typically conclude with non-binding recommendations on remedies and guides for future action – such The above-mentioned expert and executive bodies are as in Slovenia559 or Lithuania560 – rather than a binding, equipped with relatively wide investigatory powers, enforceable decision. In Hungary, the ombudsperson which cover direct access to intelligence files. Sweden institution (Commissioner for Fundamental Rights) both additionally has the capacity to immediately stop on- merely has the power to issue non-binding recommen- going signals intelligence from the National Defence dations, and is subject to a law that further restricts its Radio Establishment, and to decide on the destruction investigatory powers – by excluding specific documents of material if it emerges that the surveillance is being and materials from inspection – when its inquiry affects conducted in a manner that contravenes the regula- the national intelligence service.561 tions. The Maltese Commissioner has full authority to scrutinise the services and demand any information on investigations. The Belgian, Danish and German expert 555 See Wills, A. et al., Policy Department C: Citizens’ Rights and Constitutional Affairs (2011), p. 145. 550 Vande, G. W. (2013), p. 258. 556 FRA (2014c), pp. 20 and 34. 551 The Netherlands, CTIVD (2015), p. 19. 557 Ibid., p. 34. 552 The Netherlands, CTIVD (2014), p. 9 and following. So far, 558 Born, H. and Leigh, I. (2005), p. 105. the Minister has always followed the Review Committee’s 559 Slovenia, Human Rights Ombudsman Act (Zakon o varuhu advice. človekovih pravic), 20 December 1993, Art. 39. 553 The Netherlands, CTIVD (2015), p. 19 and following. The 560 Lithuania, Law of the Republic of Lithuania on Intelligence, reform currently in discussion would permit CTIVD to handle Art. 23. complaints directly, and grant it binding powers. See also 561 Hungary, Act CXI of 2011 on the Commissioner for The Netherlands, CTIVD (2015), p. 29. Fundamental Rights (Az alapvető jogok biztosáról 554 Ibid., pp. 22–23. szóló 2011. Évi CXI. törvény), 26 July 2011, Art. 23.

74 Remedies

FRA key findings

According to the applicable international standards, legislation provides for the obligation to inform anyone who suspects that he/she is the victim of and the right to access, in some cases within a privacy or data protection violation has to have specific timeframes, albeit with restrictions. the opportunity to seek to remedy the situation. The These restrictions include various grounds, such right to an effective remedy – which allows individu- as national security, national interests or the pur- als to seek redress for a violation of their rights – is an pose of the surveillance measure itself. essential component of access to justice. A remedy must be ‘effective’ in practice and in law. ■■ Only two Member States have specific provisions on the obligation to inform in the context As previous FRA reports on access to data protection of signals intelligence: in one, individuals are not remedies and on access to justice show, a number informed if the selectors used are not directly of remedial avenues are available to victims of pri- attributable to the individual; in the other, vacy and data protection violations. Non-judicial the individual is not informed if personal data bodies play an important remedial role in the area obtained are immediately deleted after collec- of surveillance, given the practical difficulties with tion and not further processed. accessing general courts. Non-judicial bodies across the 28 EU Member States include expert (including ■■ The oversight bodies of 10 EU Member States, DPAs), executive and parliamentary bodies, as well including six national DPAs, review restrictions as ombudsperson institutions. In some Member on the right to be informed and the right to access States, the number of non-judicial bodies with reme- information by checking whether the invoked dial roles in the area of surveillance is relatively national security threat is reasonable, and/or encouraging, but should be viewed in light of the by exercising indirectly the individual’s right following findings. to access. In the latter case, the bodies assess whether access to the data may be granted or The complexity of the remedial landscape does not whether the refusal to do so is legitimate, and facilitate the implementation of effective remedies, also scrutinise the lawfulness of the data pro- nor does the amount of data gathered by intelligence cessing. In one Member State, a court warrant – services performing SIGINT. Fragmentation and com- certifying that notification would jeopardise partmentalisation of different remedial avenues have the investigation or there are other arguments made it difficult to seek remedies. In fact, the col- against it – is required. lected data shows that only a limited number of cases challenging surveillance practices have been ■■ Two other Member States do not grant a right adjudicated at the national level since the Snowden of access to information as such. The law, how- revelations. ever, provides for a right that produces the same result: an individual may request the oversight Obligation to inform and the right body to check whether his/her data are subject to access to unlawful surveillance.

The right to be notified and to access information is ■■ In some Member States, the oversight body crucial to alert individuals to surveillance measures involved in indirectly exercising an individual’s and to start a remedial action. The European Court of right to request access to data neither confirms Human Rights (ECtHR) has, however, accepted that nor denies the data processing. The replies are these rights can justifiably be limited (see ECtHR, usually limited to stating that the complaint has Klass and Others v. Germany, No. 5029/71, 6 Sep- been handled and/or checked. tember 1978). FRA findings show that the secrecy surrounding the work of intelligence services indeed Judicial remedies limits these rights. Another factor is the sheer amount of data collected through SIGINT compared with more Every Member State gives individuals the opportunity traditional forms of surveillance. to complain about privacy violations via the courts, regardless of whether these have occurred due to ■■ In eight Member States, the obligation to inform targeted or signals intelligence. Courts provide an and the right to access are not provided for at all avenue for individuals to complain about interference by law; rules on classified documents or on offi- with their privacy, including challenging supervisory cial secrets apply. In the other 20 Member States, body decisions on their claims of privacy violations.

75 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

They also give individuals an opportunity to seek the administrative hierarchy, are also important remedies – including in the area of surveillance. aspects to consider when assessing a body’s independence. ■■ Past FRA research has, however, identified the judges’ lack of specialisation in data protection as ■■ DPAs in 13 EU Member States have the power to a serious obstacle to effectively remedying data examine individual complaints and issue bind- protection violations. This finding is relevant for ing decisions. But in three of these, the power surveillance, where, in addition to the necessary to access files and premises is limited. In five secrecy linked to intelligence, relevant expertise Member States, additional requirements – man- in ICT or in intelligence, for instance, is essential. dating the presence of the head or a member of the DPA during inspections at intelligence service ■■ Only two Member States have mitigated the premises – apply. lack of specialisation with respect to remedies by involving judges/tribunals that both have the ■■ Five out of the seven Member States that entrust necessary knowledge at their disposal to decide their expert oversight bodies (other than DPAs) on (often) technical matters, and are allowed to with specific remedial powers do so by allow- access secret material. ing these bodies to issue binding decisions. In two EU Member States, an executive oversight Non-judicial remedies body also has remedial powers. Parliamentary committees in four Member States are entitled Non-judicial options are usually more accessible to to hear individual complaints, but only one can individuals than judicial mechanisms because the pro- resolve them with binding decisions. cedural rules are less strict, bringing complaints is less costly and proceedings are faster. Previous FRA ■■ Ombudsperson institutions, which exist in all 28 evidence confirms this, in particular in the context EU Member States, mostly deal with administra- of data protection, as more complaints tend to be tive failures rather than with the actual merits of lodged with national DPAs and only few complainants surveillance. Only one Member State provides the pursue judicial proceedings. The number of non‑judi- ombudsperson institution with remedial powers cial bodies – other than DPAs – reportedly operating via the relevant intelligence law. In addition, the in the area of data protection is small, however, and ombudsperson institutions’ powers can be quite many non‑judicial bodies only have limited power to limited, and proceedings typically conclude with offer remedies. non-binding recommendations that aim to put matters right and guide future action, rather than ■■ The oversight bodies (including DPAs) in charge with a binding, enforceable judgement. This obvi- of dealing with complaints are independent insti- ously impacts the effectiveness of the remedies tutions in the great majority of Member States. they are able to provide.

■■ Where an executive oversight body has reme- ■■ Other elements that can facilitate an individual’s dial powers, the question of independence access to remedies include more relaxed rules arises when it also has the power to warrant on the evidentiary burden and class actions, surveillance. Parliamentary and expert oversight as well as effective whistle-blower protection. bodies have more autonomous administrative The Parliamentary Assembly of the Council of structures – but autonomy does not guarantee Europe considers whistleblowing to be the most an effective remedy unless also supported by effective tool for enforcing the limits placed on sufficient knowledge. How members of over- surveillance. sight bodies are appointed, and their place in

76 Conclusions

This report maps the legal frameworks on surveillance the first step in attaining a transparent system, is there- and the relevant safeguards in place to protect privacy fore an obstacle. and data protection in the 28 EU Member States. The privacy and data protection safeguards illustrate the How applicable are the ECtHR’s standards – mostly way other fundamental rights are also guaranteed by developed in the context of targeted surveillance – to Member States’ law. The analysis presents the legal signals intelligence? This is the underlining question framework on both targeted surveillance and signals of this report. Cases dealing with ‘mass surveillance’, intelligence in five Member States that have detailed as revealed by Edward Snowden, are pending before legislation on this surveillance method. The report the ECtHR. analyses the legal regimes in place, not their day-to-day implementation. The necessary fieldwork research will This report presented various oversight systems chosen be presented in an upcoming FRA report. by EU Member States. Oversight bodies contribute to a better understanding of how intelligence services In this area of restricted EU competence, the report work. As stated by the Dutch oversight body, “An over- highlights the great diversity among Members States strong culture of secrecy not only creates scope for regarding how intelligence services are organised and unacceptable practices, it may also give rise to myths perform their essential tasks. The Member States are and misunderstandings. As Snowden’s revelations have all bound by minimum international human rights law shown, this may eventually come to work against the standards developed by the United Nations, which intelligence and security services themselves.”565 The are of universal application, and which the Union pro- work of these bodies also demonstrates that surveillance motes.562 Likewise, the Council of Europe (including the methods can be controlled if the oversight mechanisms ECtHR) standards provide a minimum standard. EU law, are provided with enough powers and means. Above as interpreted by the CJEU, also has an impact. Given all, independence and proper means to work are crucial. that a limited number of applicable international regulations, aside from existing international human rights Exchanges on practices between actors help clarify and law, apply, the role of self-regulatory measures and enhance relevant control standards. Despite the great soft law should be further assessed, as suggested by diversity and the predominantly national competences some authors.563 of oversight bodies, exchanges can help promote prom- ising practices. When it comes to exchanges between Surveillance measures interfere greatly with individu- oversight bodies, already existing networks, such as als’ rights, but are secret in nature. Therefore, individ- the European Network of National Intelligence Review- uals are bound to rely on a degree of trust in public ers (ENNIR),566 can be fostered. Such exchanges and authorities, which in turn must safeguard his/her funda- cooperation should, however, not be limited to over- mental rights. In its case law on secret surveillance, sight bodies. Similar exchanges on the manner in which the ECtHR recognises the specificity of the surveillance intelligence services uphold fundamental rights in their context by focusing on the legality of the interference work could also be beneficial. and on the safeguards in place. In the context of signals intelligence, oversight solutions Clear and accessible legislation, strong oversight mech- vary in the five Member States studied in more detail. anisms, proper control mechanisms, as well as effective The specificity of this surveillance technique presents remedies are only some of the elements essential for a particular challenge for oversight bodies in charge of the kind of accountability that encourages the level of controlling its legality. Legal frameworks do not pro- trust society should have vis-à-vis its intelligence ser- vide strong powers in the context of SIGINT. As stated vice. Achieving this may undeniably be difficult. The by Chesterman, British Reviewer of Terrorism Legislation noted that, due to the secrecy intelligence services operate in, “it “Most of the structures set up to limit cannot be excluded that practices take place which are the powers of intelligence agencies tend completely unknown to commentators or which have to assume a model of individualized no legal sanction whatsoever”.564 The difficulty in pro- searches […]. The move to more systematic ducing clear and accessible legislation, which is merely surveillance of the entire population requires a different regime. Warrants will still be

562 See Council of the European Union (2015). 563 See Brown, I. et al. (2015) and Laurent, S.-Y., CNCIS (2015a). 565 The Netherlands, CTIVD (2015), p. 32. 564 Anderson, D., Independent Reviewer of Terrorism 566 See the European network of national Intelligence Legislation (2015), p. 148. Reviewers (ENNIR) www.ennir.be/.

77 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

important for narrowly targeted surveil- durch parlamentarische Gremien oder lance or to authorize searches of property, sonstige unabhängige Stellen erweist sich but accountability for systematic surveil- in der Praxis als sehr schwierig, wenn nicht lance will necessarily be more general”.567 sogar als aussichtslos. – FRA translation]“570

It should include detailed reporting, the use of technol- The reactions to the Snowden revelations have also ogy to keep track of access to data and what is done underscored the need to adopt and strengthen legal with it, clear lines of internal authority, and adequate frameworks, and this report shows that a number of oversight by the legislature. For Chesterman, the key legal reforms have been carried out. These, however, is to be able to hold the services accountable.568 The should not be limited to reacting to scandals. Periodical Venice Commission cited the German and Swedish sys- assessments of the functioning and legitimacy of the tems as models which could possibly be built upon.569 frameworks that govern intelligence service activities However, recent revelations have demonstrated must become an integral part of the oversight systems. shortcomings in the German control system. Huber, How can the legal frameworks be further reformed to a member of the German oversight body, summarised address the lack of adequate oversight? Reform pro- the challenges as follows: cesses in the EU Member States also need to take technological developments into account, and provide “Effective control of these strategic measures intelligence services and oversight mechanisms with by way of parliamentary bodies or other adapted tools. Protecting individuals while also safe- independent entities in practice proves very guarding fundamental rights is the complex challenge difficult, if not impossible. [Eine effektive lawmakers need to meet. Kontrolle dieser strategischen Maβnahmen

567 Chesterman, S. (2011). 568 Ibid. 569 Venice Commission (2015). However, commentators have also criticized the German system. See Venice Commission (2015), p. 19 and 34. 570 Huber, B. (2015), p. 4.

78 References Access, Electronic Frontier Foundation, and Privacy Belgium, Standing Intelligence Agencies Review Com- International (2014), International Principles on the mittee (Standing Committee I) (Comité permanent de Application of Human Rights to Communications Sur- contrôle des services de renseignements et de sécu- veillance (Necessary and Proportionate Principles), May rité - Comité Permanent R) (2012), Activity Report 2010 1994. Activity Report 2011 – Investigations, Control of Special Intelligence Methods and Recommendations, Antwerp Anderson, D., Independent Reviewer of Terrorism Leg- and Cambridge, Intersentia. islation (2015), A question of trust: Report of the investigatory powers review, London, 11 June 2015. Belgium, Standing Intelligence Agencies Review Com- mittee (Standing Committee I) (Comité permanent de Article 19 (1996), Johannesburg Principles on national contrôle des services de renseignements et de sécu- security, freedom of expression and access to informa- rité – Comité Permanent R) (2014), Rapport d’activités tion, freedom of expression and access to Information, 2013 Activiteitenverslag 2013, Antwerp and Cambridge, Policy brief, London, 1 November 1996. Intersentia. Article 29 Working Party (2010), Report 01/2010 on Belgium, Standing Intelligence Agencies Review Com- the second joint enforcement action: Compliance at mittee (Standing Committee I) (Comité permanent de national level of Telecom Providers and ISPs with the contrôle des services de renseignements et de sécu- obligations required from national traffic data reten- rité – Comité Permanent R) (2015), Rapport d’activités tion legislation on the legal basis of Art. 6 and 9 of the 2014 Activiteitenverslag 2014, Antwerp and Cambridge, e-Privacy Directive 2002/58/EC and the Data Retention Intersentia. Directive 2006/24/EC amending the e-Privacy Directive, 00058/10/EN, 13 July 2010. Bigo, D., Carrera, S., Hernanz, N., Jeandesboz, J., Parkin, J., Ragazzi, F. and Scherrer, A., Policy Department C: Citi- Article 29 Working Party (2014a), Joint statement of the zens’ Rights and Constitutional Affairs (2013), National European data protection authorities assembled in the programmes for mass surveillance of personal data in Article 29 Working Party, 26 November 2014 EU Member States and their compatibility with EU law, Article 29 Working Party (2014b), Opinion 04/2014 on Brussels, European Parliament Directorate-General for surveillance of electronic communications of intelli- Internal Policies. gence and national security purposes, 10 April 2014. Bigo, D., Carrera, S., Hernanz, N. and Scherrer, A., Article 29 Working Party (2014c), Working Document Policy Department C: Citizens’ Rights and Constitu- on surveillance of electronic communications for intelli- tional Affairs (2014), National security and secret evi- gence and national security purposes, 5 December 2014. dence in legislation and before the courts: Exploring the challenges, PE 509.991, Brussels, European Parliament Austria, Federal Agency for State Protection and Coun- Directorate-General for Internal Policies. ter Terrorism (Bundesamt für Verfassungsschutz und Terrorismusbekämpfung, BVT) (2014), Verfassungss- Born, H. and Caparini, M. (2007), Democratic control chutzbericht 2014, Vienna. of intelligence services: Containing rogue elephants, Hampshire-Burlington, Ashgate Publishing Company. Austria, Federal Agency for State Protection and Coun- ter Terrorism (Bundesamt für Verfassungsschutz und Born, H., Fluri, P. and Johnsson, A. (eds.), Geneva Centre for Terrorismusbekämpfung, BVT) (2015), Verfassungss- the Democratic Control of Armed Forces (DCAF) (2003), chutzbericht für das Jahr 2014, Vienna. Parliamentary oversight of the security sector: Princi- ples, mechanisms and practices, Handbook, Geneva. Bäcker, M. (2014), Erhebung, Bevorratung und Übermitt- lung von Telekommunikationsdaten durch die Nachrich- Born, H. and Leigh, I. (2005), Making intelligence tendienste des Bundes. Stelungnahme zur Anhörung accountable: Legal standards and best practice for over- des NSA-Untersuchungsauschusses am 22 Mai 2014, sight of intelligence agencies, Oslo, Publishing House of position paper submitted to the NSA Committee of the Parliament of Norway. Inquiry. Born, H., Leigh, I. and Wills, A. (eds.) (2011), International Belgium, Standing Intelligence Agencies Review Com- intelligence cooperation and accountability, London and mittee (Standing Committee I) (Comité permanent de New York, Routledge. contrôle des services de renseignements et de sécu- Born, H., Leigh, I. and Wills, A. (2015), Making interna- rité – Comité Permanent R) (2011), Rapport d’activités tional intelligence cooperation accountable, Geneva, 2010 Activiteitenverslag 20140, Antwerp and Cam- Centre for the Democratic Control of Armed Forces bridge, Intersentia. (DCAF).

79 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

Born, H., Lock, K. J. and Leigh, I. (eds.) (2005), Who’s Council of Europe Commissioner for Human Rights (2015), watching the spies?: Establishing intelligence service ‘Democratic and effective oversight of national security accountability, Washington, Potomac Books Inc. services’, Issue paper, Strasbourg, Council of Europe. Born, H. and Wills, A. (eds.) (2012), Overseeing intelli- Council of Europe, Committee of Ministers (2013), Dec- gence services: A toolkit, Handbook, Geneva, Centre for laration of the Committee of Ministers on Risks to Fun- the Democratic Control of Armed Forces (DCAF). damental Rights stemming from Digital Tracking and other Surveillance Technologies, 11 June 2013. Bozhilov, N. (2007), ‘Reforming the intelligence services in Bulgaria: The experience of 1989-2005’, in: Born, H. Council of Europe, Conference of Ministers responsi- and Caparini, M., Democratic control of intelligence ser- ble for Media and Information Society (2013), ‘Free- vices: Containing rogue elephants, Hampshire-Burling- dom of expression and democracy in the digital age: ton, Ashgate Publishing Company. Opportunities, rights, responsibilities’, Keynote speech by Nils Muižnieks, Council of Europe Commissioner for Brouwer, H. (2014), ‘A call for more transparency: Human Rights,CommDH/Speech(2013)12, Belgrade, A Dutch perspective on large scale intelligence gather- 7-8 November 2013. ing and international cooperation’, Speech delivered at the Intelligence Review Agencies Conference, London, Council of Europe (1981), Convention for the protection 8 July 2014. of individuals with regard to automatic processing of personal data, CETS No. 108, 28 January 1981. Brown, I., Halperin, M., Hayes, B., Scott, B. and Vermeu- len, M. (2015), ‘Towards multilateral standards for sur- Council of Europe (2001), Additional Protocol to the Con- veillance reforms’, Oxford Internet Institute Discussion vention for the Protection of Individuals with regard Paper, January 2015. to automatic processing of personal data regarding supervisory authorities and transborder data flows, Cameron, I. (2000), National security and the European CETS No. 181, 8 November 2001. Convention on Human Rights, The Hague, Kluwer Law International. Council of the European Union (2015), Council conclusions on the Action Plan on Human Rights and Democ- Cameron, I. (2011), ‘Annex A-VIII: Parliamentary and spe- racy (2015-2019), Doc. 10897/15, Brussels, 20 July 2015. cialised oversight of security and intelligence agencies in Sweden’, in: Wills, A., Vermeulen, M., Born, H., Scheinin, Cousseran, J.-C. and Hayez, P. (2015), Renseigner les M., Wiebusch, M. and Thorton, A., Policy Department C: démocraties, renseigner en démocratie, Paris, Odile Citizens’ Rights and Constitutional Affairs, Parliamen- Jacob. tary oversight of security and intelligence agencies in Croatia, Security and Intelligence Agency (Sigurnosno- the European Union, Brussels, European Parliament obavještajna agencija) (2014), Public Report 2014, Directorate-General for Internal Policies, pp. 278–288. 31 August 2014. Cameron, I. (2013), ‘Foreseeability and safeguards in Delmas-Marty, M. (2015), ‘La démocratie dans les bras the area of security: Some comments on the ECHR de Big Brother : Propos recueillis par Johannès, F.’, case law’, in: Van Laethem, W. and Vanderborght, J. Le Monde, 4 June 2015. (eds.), Vast Comité I, Comité Permanent Contrôle des Services de Renseignements et de Sécutrité, Inzicht in de With, H. and Kathmann, E. (2011), ‘Annex A-III: Parlia- toezicht: Regards sur le contrôle, Antwerp and Cam- mentary and specialised oversight of security and intel- bridge, Intersentia, pp. 163–180. ligence agencies in Germany’ in: Wills, A., Vermeulen, M., Born, H., Scheinin, M., Wiebusch, M. and Thornton, Cate, F. H., Dempsey, J. X. and Rubinstein, I. S. (2012), A., Policy Department C: Citizens’ Rights and Constitu- ‘Systematic government access to private-sector data’, tional Affairs, Parliamentary oversight of security and International Data Privacy Law, Vol. 2, No. 4, pp. 195–199. intelligence agencies in the European Union, PE 453.207, Cayford, M., van Gulijk, C. and van Gelder, P. H. A. J. M. Brussels, European Parliament Directorate-General for (2015), ‘All swept up: An initial classification of NSA sur- Internal Policies, pp. 218–229. veillance technology’ in: Nowkowski, T., Młyńczak, M., Dewost, J.-L., Pelletier, H. and Delarue, J.-M. (2015), Jodejko-Pietruczuk, A. and Werbińska-Wojciechowska, ‘Vingt-cinq années d’exercice de la CNCIS – Le contrôle S. (eds.), Safety and reliability: Methodology and appli- des techniques de renseignement’, in : CNCIS (2015b), cations, London, Taylor & Francis Group, pp. 643–650. 23e rapport d’activité : Années 2014-2015, Paris, La docu- Chesterman, S. (2011), One nation under surveillance: mentation française, pp. 11–32. The new social contract to defend freedom without Dietrich, J.-H. (2015), ‘Of toothless windbags, blind scarifying liberty, Oxford, Oxford University Press. guardians and blunt swords: The ongoing controversy Council of Europe Commissioner for Human Rights (2014), about the reform of intelligence services oversight in ‘The rule of law on the Internet and the wider digital Germany’, Intelligence and National Security’, Intelli- world’, Issue paper, Strasbourg, Council of Europe. gence and National Securtiy, pp. 1–19.

80 References

EU Action Plan on Human Rights and Democracy, EPRS, STOA (2014b), ‘Part 2 – Technology foresight, adopted by the Foreign Affairs Council of 20 July 2015, options for longer term security and privacy improve- Council of the European Union (2015), Doc. 10897/15, ments’ in: Mass Surveillance, PE 527.410, European Brussels, 20 July 2015. Parliament. European Commission (2000), Decision pursuant to European Parliament, Committee on Civil Liberties, Directive 95/46/EC of the European Parliament and of Justice and Home Affairs (2013a), Working document the Council on the adequacy of the protection provided 1 on the US and EU Surveillance programmes and their by the safe harbour privacy principles and related fre- impact on EU citizens fundamental rights, 11 Decem- quently asked questions issued by the US Department of ber 2013. Commerce (2000/520/EC), C(2000) 2441, 26 July 2000. European Parliament, Committee on Civil Liberties, Jus- European Commission for Democracy through Law tice and Home Affairs (2013b), Working document 5 on (Venice Commission) (2007), Report on the democratic democratic oversight of Member State intelligence ser- oversight of the security services, Study No. 388/2006, vices and of EU intelligence bodies, 20 December 2013. Doc. CDL-AD(2007)016, Strasbourg, Council of Europe, European Parliament, Committee on Petitions (2014), 11 June 2007. ‘Notice to Members: Petition No. 1618/2012 by Jan European Commission for Democracy through Law Douwe Kooistra (Dutch) on the right to protection of (Venice Commission) (2015), Update of the 2007 report personal data’, No. 1618/2012, Doc. PE537.416v01-00, on the democratic oversight of the security services, 29 August 2014. Study No. 719/2013, Doc. CDL-AD(2015)006, Strasbourg, European Parliament, Directorate General for Internal Council of Europe, 7 April 2015. Policies (2014), National security and secret evidence European Commission, FP7-SECURITY, ‘Surveillance: in legislation and before the courts: exploring the chal- Ethical issues, legal limitations, and efficiency’, Ref. lenges, Study for the LIBE Committee, 2014. No. 284725, SURVEILLE project, 1 February 2012 to European Parliament (2001), Report on the existence of 30 June 2015. a global system for the interception of private and com- European Conference of Data Protection Authori- mercial communications (ECHELON interception system) ties (2014), Resolution on the revision of the Convention (2001/2098(INI)), A5-0264/2001, 11 July 2001. for the protection of individuals with regard to auto- European Parliament (2014), Resolution on the US NSA matic processing of personal data (Convention 108), surveillance programme, surveillance bodies in various Strasbourg, Council of Europe, 5 June 2014. Member States and their impact on EU citizens’ funda- European Court of Human Rights: Research Division mental rights and on transatlantic cooperation in Justice (2013), National security and European case-law, Coun- and Home Affairs (2013/2188(INI)), P7_TA (2014)0230, cil of Europe. 12 March 2014. European Data Protection Supervisor (EDPS) (2015), Foegle, J.-P. (2015), ‘De Washington à Paris, la “protec- Leading by example: The EDPS strategy 2015-2019, tion de carton” des agents secrets lanceurs d’alerte’, Brussels. Revue des droits de l’homme, 6 June 2015. European Group on Ethics in Science and New Technol- Forcese, C. and LaViolette, N. (2006), Ottawa Principles ogies (EGE) (2014), Ethics of security and surveillance on Anti-terrorism and Human Rights (2006), Toronto, 1 technologies, Opinion No. 28, Brussels, European Com- October 2006. mission, 20 May 2014. Forcese, C. (2012), ‘Tool 9: Handling complaints about Europol Joint Supervisory Body (2014), Data protection intelligence services’, in: Born, H. and Wills, A. (eds.), inspection report: September 2014, Report No. JSB/ Overseeing intelligence services: A toolkit, Geneva, Ins.14/41, Brussels, 9 December 2014, DCAF, pp. 181–200. European Network of National Intelligence Review- FRA (European Union Agency for Fundamen- ers (ENNIR), Intelligence review in Germany, tal Rights) (2010), Data protection in the European 12 June 2012. Union: The role of national data protection authorities (Strengthening the fundamental rights architecture in European Parliamentary Research Service (EPRS), the EU II), Luxembourg, Publications Office of the Euro- Science and Technology Options Assessment (STOA) pean Union (Publications Office). (2014a), ‘Part 1 – Risks and opportunities raised by the current generation of network services and appli- FRA (2011), Access to justice in Europe: An overview cations’ in: Mass Surveillance, PE 527.409, European of challenges and opportunities, Luxembourg, Publica- Parliament. tions Office.

81 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

FRA (2012), Opinion of the European Union Agency Germany, Federal Commissioner for Data Protection for Fundamental Rights on the proposed data pro- and Freedom of Information (Bundesbeauftragter für tection reform package, FRA Opinion 2/2012, Vienna, Datenschutz und Informationsfreiheit) (2015), Activity 1 October 2012. report on data protection for the years 2013 and 2014. FRA (2014a), Fundamental rights: Challenges and Germany, Federal Parliament (Deutscher Bundestag) achievements in 2013 – Annual report, Luxembourg, (2013), Bericht über die Kontrolltätigkeit gemäβ § 13 Publications Office. des Gesetzes über die parlamentarische Kontrolle nach- richtendienstlicher Tätigkeit des Bundes (Berichtszei- FRA (2014b), ‘Ad hoc information request: National traum November 2011 bis Oktober 2013), Drucksache intelligence authorities and surveillance in the EU: No. 18/217, 19 December 2013. Fundamental rights safeguards and remedies,’ Franet Guidelines, Vienna, 18 August 2014. Germany, Federal Parliament (Deutscher Bundestag) (2015), Bericht gemäβ § 14 Absatz 1 Satz 2 des Gesetzes FRA (2014c), Access to data protection remedies, Lux- zur Beschränkung des Brief-, Post- und Fernmeldege- embourg, Publications Office. heimnisses (Article 10-Gesetz-G 10) über die Durch- FRA (2014d), Opinion of the European Union Agency for führung sowie Art und Umfang der Maβnahmen nach Fundamental Rights on the situation of equality in the den §§ 3, 5, 7a und 8 dieses (Berichtszeitraum 1. Januar European Union 10 years on from initial implementation bis 31. Dezember 2013), Drucksache No. 17/12773, of the equality directives, FRA Opinion 1/2013, Vienna, 14 March 2013. 1 October 2013. Germany, Konferenz der Datenschutzbeauftragten FRA (2015), Fundamental rights: Challenges and des Bundes und der Länder (DSK), 88th, (2014), achievements in 2014 – Annual report, Luxembourg, Entschließung: Effektive Kontrolle von Nachrichtendi- Publications Office. ensten herstellen!, Hamburg, 8-9 October 2014. France, National Commission for the Control of Security Greece, Authority for Communication Security and Interceptions (Commission nationale de contrôle des Privacy (Αρχή Διασφάλισης του Απορρήτου των interceptions de sécurité, CNCIS) (2015a), 22e rapport Επικοινωνιών), Annual reports for the years 2004–2014. d’activité : Années 2013-2014, Paris, La documentation Heumann, S. and Wetzling, T., Stiftung neue Verant- française. wortung (2014), ‘Strategische Auslandsüberwachung: France, National Commission for the Control of Security Technische Möglichkeiten, rechtlicher Rahmen und par- Interceptions (Commission nationale de contrôle des lamentarische Kontrolle‘, Europäische Digitale Agenda: interceptions de sécurité, CNCIS) (2015b), 23e rapport Privacy Project, May 2014. d’activité : Années 2014-2015, Paris, La documentation Hoffmann-Riem, W. (2014), Stellungnahme zur française. Anhörung des NSA-Untersuchungsausschusses am 22 France, National Commission on Informatics and Lib- Mai 2014, position paper submitted to the NSA Com- erty (Commission nationale de l’informatique et des mittee of Inquiry. libertés, CNIL) (2015), Rapport d’activité 2014, Paris, La Huber, B. (2013), ‘Die strategische Rasterfahndung des documentation française. Bundesnachrichtendienstes – Eingriffsbefugnisse und France, Urvoas, J.-J., Parliamentary Delegation on Intel- Regelungsdefizite’,Neue Juristische Wochenzeitschrift, ligence (Délégation parlementaire au renseignement) Vol. 32, No. 35, pp. 2572–2577. (2014), Rapport relatif à l’activité de la délégation parle- Huber, B. (2015), ‘Von der Überwachung einzelner Per- mentaire au renseignement pour l’année 2014 (Annual sonen zur umfassenden strategischen Rasterfahndung‘, Report 2014), Doc. No. 2482 (Assemblée nationale), Paper delivered at the Conference on the Democratic Doc. No. 201 (Sénat), Assemblée Nationale and Sénat, oversight of Intelligence services in the European Union, 18 December 2014. Brussels, European Parliament, 28-29 May 2015, pp. 1-6. French Data Network (Réseau de données français), Hustinx, P. (2014), ‘EU data protection law: The review La Quadrature du Net and Fédération des fournisseurs of Directive 95/46/EC and the proposed general data d’accès à Internet associatifs (2015), Amicus Curiae protection regulation’. transmis au Conseil constitutionnel dans le cadre des saisines visant la « loi relatif au renseignement ». Institute for Information Law (2015), Ten standards for oversight and transparency of national intelligence ser- Germany, Federal Commissioner for Data Protection vices, Amsterdam, University of Amsterdam. and Freedom of Information (Bundesbeauftragter für Datenschutz und Informationsfreiheit) (2013), Activity International Conference of Data Protection and Privacy report on data protection for the years 2011 and 2012. Commissioners, 31st, (2009), Resolution: International Standards on the Protection of Personal Data and Pri- vacy, Madrid, 4-6 November 2009.

82 References

International Conference of Data Protection and Privacy Omand, D. (2015), ‘Understanding digital intelligence Commissioners, 36th, (2014), Resolution: Privacy in the and the norms that might govern it’, Global Commis- digital age, Balaclava Fort, 13-16 October 2014. sion on Internet Governance Paper Series, Paper No. 8, Waterloo and London, Centre for international Govern- Italy, Italian Government (Governo italiano) (2013), ance Innovation and Chatham House, 19 March 2015. ‘Sicurezza dati personali: Protocollo d’intenti tra l’Autorità Garante e il Direttore Generale del Dis’, Press Open Society Justice Initiative (2013), Global Princi- release, 11 November 2013. ples on National Security and the Right to Informa- tion (Tshwane Principles), Tshwane, South Africa, 12 Italy, Parliamentary Committee for the Security of June 2013. the Republic (Comitato parlamentare per la sicurezza della Repubblica, COPASIR) (2014), Relazione annuale Parliamentary Assembly of the Council of (Attività svolta dal 6 giugno 2013 al 30 settembre 2014), Europe (PACE) (1999), ‘Control of internal security ser- Doc. XXXIV No.1, Senate of the Republic (Senato della vices in the Council of Europe Member States’, Report Repubblica), Chamber of Deputies (Camera dei Depu- Doc. 8301, 23 March 1999. PACE, Committee on Legal tati), 11 December 2014. Affairs and Human Rights (2015a), Improving the protection of whistleblowers, Report Doc. 13791, Strasbourg, Klamberg, M. (2009), FRA:s signalspaning ur ett rätt- 6 June 2015. sligt perspektiv (FRA’s signals intelligence from a legal perspective), SvJT 2009, Juridicum. PACE, Committee on Legal Affairs and Human Rights (2015b), Mass surveillance, Report Doc. 13734, Stras- Klamberg, M. (2010), ‘FRA and the European Conven- bourg, 21 April 2015. tion on Human Rights: A paradigm shift in Swedish electronic surveillance law’ (published as ‘Overvåking Peers, S. (2013), The extent of national competence as i en Rettsstat’), in: Schartum, D. W. (ed.), Nordisk årbok regards internal security, Response to European Parlia- i rettsinformatikk (Nordic Yearbook of Law and Informa- ment inquiry, 18 November 2013. tion Technology), Bergen, Fagbokforlaget, pp. 96–134. Phythian, M. (2009), ‘The British intelligence services’, Krempl, S. (2015), ‘NSA-Ausschuss: Peter Schaar in: Jäger, T. and Daun, A., Geheimdienste in Europa: sieht groβe Lücken bei BND-Kontrolle‘, Heise Online, Transformation, Kooperation und Kontrolle, Heidelberg, 16 January 2015. VS Verlage, pp. 13–34. La Quadrature du net (2015), ‘Three French NGOs chal- Poland, Helsinki Foundation for Human Rights (2015), lenge French international surveillance’, Press release, ‘PAC: statistical data on ISA’s covert investigative meth- 3 September 2015. ods still unavailable’, Newsletter, 24 June to 1 July 2015. Laurent, S.-Y. (2014), Atlas du Renseignement, Condé- Poland, Supreme Audit Office (Naczelna Izba Kon- sur-Noireau, Presses de Sciences Po. troli) (2014), ‘Nadzór nad służbami specjalnymi’, Press release, 26 August 2014. Laurent, S.-Y., ‘Liberté et sécurité dans un monde anom- ique de données’, in: Commission nationale de contrôle Poland, The Internal Security Agency (Agencja des interceptions de sécurité (CNCIS) (2015), 22e rapport Bezpieczeństwa Wewnętrznego, ABW) (2010), Annual d’activité: Années 2013-2014, Paris, La documentation Report 2009, Warsaw. française. Raab, C., Hallinan, D., Amicelle, A., Clavell, G. G., Leigh, I. (2013), ‘A view across the channel: Intelligence Galetta,A., De Hert, P. and Jones, R. (2015), ‘Effects of oversight in the United Kingdom’, in : Van Laethem, W. surveillance on civil liberties and fundamental rights and Vanderbroght, J. (eds.), Vast Comité I, Comité Per- in Europe’, in: Wright, D. and Kreissl, R. (eds.), Surveil- manent Contrôle des Services de Renseignements et de lance in Europe, London and New York, Routledge, Sécutrité, Inzicht in toezicht: Twintig jaar democratische pp. 259–318. controle op de inlichtingendiensten – Regards sur le Schaar, P. (2014), Überwachung total: Wie wir in Zukunft contrôle: Vingt ans de contrôle démocratique sur les unsere Daten schützen, Berlin, Aufbau Verlag. services de renseignement, Antwerp and Cambridge, Intersentia, pp. 431–441. Schätz, A. (2007), ‘Nachrichtendienste im Transforma- tionsprozess?’, Österreichische Militärische Zeitschrift, Löning, M., Stiftung neue Verantwortung (2015), ‘Eine 4/2007, p. 397. Reformagenda für die deutschen Geheimdienste: Rechtstaatlich, demokratisch, effektiv’, Europäische Schaus, A. (2014), ‘Consultation sur les règles en Digitale Agenda: Privacy Project, Impulse, 15 April 2015. vigueur en Belgique en matière de protection de la vie privée eu égard aux moyens autorisant l’interception Lowenthal, M. (2015), Intelligence: From secrets to policy et l’exploitation à grande échelle de données rela- (6th ed.), Thousand Oakes and London, CQ Press and tives à des personnes, organisations, entreprises ou Sage Publications. instances établies en Belgique ou qui ont un lien avec

83 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

la Belgique’, in : Rapport d’activités 2013, Comité per- A modern and transparent legal framework, London, manent de contrôle des services de renseignements et 12 March 2015, London, June 2015. de sécurité (Comité Permanent R) and Belgian Stand- United Kingdom, Intelligence Services Commis- ing Intelligence Agencies Review Committee (Stand- sioner (2015), Report of the intelligence services ing Committee I), Antwerp and Cambridge, Intersentia, commissioner (covering the period of January to Decem- pp. 188–212. ber 2014), No. HC 225 SG/2015/74, London, June 2015. Schenke, W.-R., Graulich, K. and Ruthig, J. (2014), Sicher- United Kingdom, Interception of Communications Com- heitsrecht des Bundes, Munich, Beck. missioner (IOCCO) (2015), Report of the interception of Schwartz, P. (2012), ‘Systematic government access communications commissioner (covering the period to private-sector data in Germany’, International Data January to December 2014), No. HC 1113 SG/2015/28, Privacy Law, Vol. 2, No. 4, pp. 289–301.Sule, S. (2006), London, March 2015. Spionage: Völkerrechtliche, nationalrechtliche und United Kingdom, IPT (2010), Investigatory Powers Tri- europarechtliche Bewertung staatlicher Spionage- bunal 2010 report. handlungen unter besonderer Berücksichtigung der Wirtäaftsspionage, Baden-Baden, Nomos Verlag. UN (United Nations), General Assembly (GA) (2014a), Resolution adopted by the General Assembly on Sweden, Swedish Data Inspection Board (Datainspek- 18 December 2013: The right to privacy in the digital tionen), Data Inspection report of the government age, A/RES/68/167, 21 January 2014. commission (Datainspektionens redovisning av regering- suppdraget), Fö2009/355/SUND, 6 December 2010. UN, GA (2014b) Resolution on the Right to Privacy in the digital age, Doc. A/RES/69/166, 18 December 2014. Sweden, Ministry of Justice (Justitiedeparte- mentet) (2012), En tydligare organisation för Säkerhet- UN, GA (2014c), The right to privacy in the digital age: spolisen (A clearer organization of the Security Service), Report of the Office of the United Nations High Commis- No. SOU 2012:77, 28 November 2012. sioner for Human Rights, Doc. A/69/276, 7 August 2014. The Guardian (2013), ‘Clapper admits secret NSA surveil- UN, Human Rights Committee (2014), Concluding obser- lance program to access user data’, 7 June 2013. vations on the fourth periodic report of the United States of America, CCPR/C/USA/CO/4, 23 April 2014. The Netherlands, Ministry of the Interior and Kingdom Relations (2014), ‘Constitution to extend protection to UN, Human Rights Committee (2015a), Concluding e-mails’, Press release, 11 July 2014. observations on the fifth periodic report of France, CCPR/C/FRA/CO/5, 21 July 2015. The Netherlands, Review Committee for the Intel- ligence and Security Services (CTIVD) (2010), Annual UN, Human Rights Committee (2015b), Concluding Report 2009-2010, The Hague, 31 March 2010. observations on the seventh periodic report of the United Kingdom of Great Britain and Northern Ireland, The Netherlands, CTIVD (2014a), Annual Report 2013- CCPR/C/GBR/CO/7, 21 July 2015. 2014, The Hague, 31 March 2014. UN, Human Rights Committee (2015c), Concluding The Netherlands, CTIVD (2014b), Review Report on observations on the sixth periodic report of Sweden, investigative activities of AIVD on social media, No. 39, CCPR/C/SWE/CO/6, 7 May 2009. The Hague, 16 July 2014. UN, Human Rights Council, Emmerson, B. (2014), The Netherlands, CTIVD (2015), Annual Report 2014- Report of the Special Rapporteur on the promotion 2015, The Hague, 9 June 2015. and protection of human rights and fundamental United Kingdom, House of Commons Library (2013), freedoms while countering terrorism, Doc. A/69/397, Intelligence and Security Committee, Standard Note SN/ 23 September 2014. HA/2178. UN, Human Rights Council, Kaye, D. (2015), Report of the United Kingdom, Information Commissioner’s Special Rapporteur on the promotion and protection of Office (2014),The Information Commissioner’s submis- the right to freedom of opinion and expression, David sion to the Intelligence and Security Committee of Par- Kaye: Promotion and protection of all human rights, civil, liament: Privacy and security inquiry, 31 January 2014. political, economic, social and cultural rights, including the right to develop, Doc. A/HRC/29/32, 22 May 2015. United Kingdom, Intelligence and Security Committee of Parliament (ISC) (2013), ‘Statement on GCHQ’s alleged UN, Human Rights Council (2015), Resolution on the right interception of communications under the US PRISM to privacy in the digital age, Doc. A/HRC/RES/28/16, programme’, 17 July 2013. 30 March 2015. United Kingdom, Intelligence and Security Commit- UN, Human Rights Council, Scheinin, M. (2009), Report of tee of Parliament (ISC) (2015), Privacy and security: the Special Rapporteur on the promotion and protection

84 References

of human rights and fundamental freedoms while coun- Parliamentary oversight of security and intelligence tering terrorism, Martin Scheinin: Promotion and protec- agencies in the European Union, PE 453.207, Brussels, tion of all human rights, civil, political, economic, social European Parliament Directorate-General for Internal and cultural rights, including the right to development, Policies. Doc. A/HRC/10/3, 4 February 2009. Wright, D. and Kreissl, R. (2015), ‘European responses to UN, Human Rights Council, Scheinin, M. (2010), Report the Snowden revelations’, in: Wright, D. and Kreissl, R. of the Special Rapporteur on the promotion and protec- (eds.), Surveillance in Europe, London and New York, tion of human rights and fundamental freedoms while Routledge, pp. 6–50. countering terrorism, Martin Scheinin: Compilation of good practices on legal and institutional frameworks and measures that ensure respect for human rights by intelligence agencies while countering terrorism, including on their oversight, Doc. A/HRC/14/46, 17 May 2010. UN, Office of the High Commissioner for Human Rights (OHCHR) (2014), The right to privacy in the digital age, A/HRC/27/37, 30 June 2014. UN, Special Rapporteur on Freedom of Opinion and Expression, the Organization for Security and Co-operation in Europe (OSCE), Representative on Freedom of the Media, the Organization of American States (OAS), the African Commission on Human and Peoples’ Rights (ACHPR) Special Rapporteur on Freedom of Expression and Access to Information (2015), ‘Joint declaration on freedom of expression and responses to conflict situations’, Statement, 4 May 2015. United States, National Research Council (2015), Bulk collection of signals intelligence: Technical options, Washington, The National Academies Press. United States, The White House (2014), ‘Presiden- tial policy directive – Signals intelligence activities’, Directive No. PPD-28, Office of the Press Secretary, 17 January 2014. Urvoas, J.-J. (2015), ‘Contrôler les services, la juste place du Parlement’, in : CNCIS (2015b), 23e rapport d’activité : Années 2014-2015, Paris, La documentation française, pp. 33–42. Vande, G. W. (2013), ‘Le traitement des plaintes et des dénonciations: Une mission distincte pour le Comité ?’, in: Van Laethem, W. and Vanderbroght, J. (eds.), Vast Comité I, Comité Permanent Contrôle des Services de Renseignements et de Sécutrité, Inzicht in toezicht – Regards sur le contrôle, Antwerp and Cambridge, Intersentia, pp. 253–267. Vermeulen, M. (2014), ‘Les révélations de Snowden, interception massive de données et espionnage politique’, in : Rapport d’activités 2013, Comité permanent de contrôle des services de renseignements et de sécurité (Comité Permanent R) and Belgian Stand- ing Intelligence Agencies Review Committee (Standing Committee I), Antwerpen and Cambridge, Intersentia, pp. 143–187. Wills, A., Vermeulen, M., Born, H., Scheinin, M., Wie- busch, M. and Thornton, A., Policy Department C: Citizens’ Rights and Constitutional Affairs (2011),

85 Case law index

Case law of the Court of Justice of the European Union Commission v. Austria, C-614/10, 16 October 2012 �� 47 Commission v. Hungary, C-288/12, 8 April 2014 �� 47 Digital Rights Ireland and Seitlinger and others, Joined cases C-293/12 and C-594/12, 8 April 2014 �� 47 European Commission v. Federal Republic of Germany [GC], C-518/07, 9 March 2010 �� 47 European Commission v. Italian Republic, C-387/05, 15 December 2009 �� 10, 11 Institut professionel des agents immobiliers (IPI) v. G. Englebert et al., C-473/12, 7 November 2013 �� 61 Maximillian Schrems v. Data Protection Commissioner, C-362/14, Advocate General’s Opinion, 23 September 2015 �� 67 Maximillian Schrems v. Data Protection Commissioner, C-362/14, 6 October 2015 �� 11, 47, 61, 66 Metock v. Minister of Justice, Equality and Law Reform, C-127/08, 25 July 2008 �� 11 ZZ v. Secretary of the State of Home Department, C-300/11, 4 June 2013 �� 10, 25, 61, 68 Case law of the European Court of Human Rights Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, No. 62540/00, 28 June 2007 �� 62 Amann v. Switzerland, No. 27798/95, 16 February 2000 �� 10 Bernh Larsen Holding AS and Others v. Norway, No. 24117/08, 8 July 2013 �� 10 Big Brother Watch and Others v. the United Kingdom, No. 58170/03, communicated on 9 January 2014 �� 9 Bureau of investigative journalism and Alice Ross v. the United Kingdom, No. 62322/14, communicated on 5 January 2015 �� 69 C.G. and others v. Bulgaria, No. 1365/07, 24 April 2008 �� 9 Copland v. the United Kingdom, No. 62617/00, 3 April 2007 �� 10 Heglas v. Czech Republic, No. 5935/02, 1 March 2007 �� 19 Iordachi and Others v. Moldova, No. 25198/02, 10 February 2009 �� 25 Janowiec and Others v. Russia [GC], Nos. 55508/07 and 29520/09, 21 October 2013 �� 9, 25 Kennedy v. UK, No. 26839/05, 18 May 2010 �� 51, 53, 68 Khelili v. Switzerland, No. 16188/07, 8 March 2012 �� 10 Klass and Others v. Germany, No. 5029/71, 6 September 1978 �� 9, 10, 25, 44, 61, 67, 75 Kruslin v. France, No. 11801/85, 24 April 1990 �� 9 Liberty and Others v. the United Kingdom, No. 58243/00, 1 July 2008 �� 7, 10, 19 M.M. v. the United Kingdom, No. 24029/07, 29 April 2013 �� 10 M.N. and Others v. San Marino, No. 28005/12, 7 July 2015 �� 9 Malone v. the United Kingdom, No. 8691/79, 2 August 1984 �� 9 Rotaru v. Romania, No. 28341/95, 4 May 2000 �� 10 Segerstedt-Wiberg and Others v. Sweden, No. 62332/00, 6 June 2006 �� 60, 72 S. and Marper v. The United Kingdom, Nos. 30562/04 and 30566/04, 4 December 2008 �� 10 Telegraaf Media Nederland Landelijke Media B.V. and Others v. the Netherlands, No. 39315/06, 22 November 2012 �� 9, 51, 68 Tretter and Others v. Austria, No. 3599/10, communicated on 6 May 2013 �� 44, 64 Uzun v. Germany, No. 35623/05, 2 September 2010 �� 10 Weber and Saravia v. Germany, No. 54934/00, 29 June 2006 �� 8, 10, 19, 22, 24, 25, 62, 67 Youth initiative for human rights v. Serbia, No. 48135/06, 25 June 2013 �� 30 Z. v. Finland, No. 22009/93, 25 February 1997 �� 10

86 Case law index

Case law of national courts Belgium, Constitutional Court (Cour constitutionnelle), No. 145/2011, 22 September 2011 �� 63 France, Constitutional Court (Conseil constitutionnel), Association French Data Network and Others, Decision 2015–478 QPC, 24 July 2015 �� 24 France, Constitutional Court (Conseil constitutionnel), No. 2015-713 DC, 23 July 2015 �� 21, 23, 26 Germany, Federal Administrative Court (Bundesverwaltungsgericht), BVerwG 6 CN 1.13, 28 May 2014 �� 67 Germany, Federal Constitutional Court (Bundesverfassungsgericht), BvR 1215/07, 24 April 2013 �� 50 Germany, Federal Constitutional Court (Bundesverfassungsgericht), 1 BvR 2226/94, 14 July 1999 �� 22, 61, 63, 67 Hungary, Constitutional Court (Alkotmánybíróság), No. 9/2014 (III. 21.) (9/2014. (III. 21.) AB határozat), 17 March 2014 �� 63 Ireland, Supreme Court, McGee v. Attorney General, [1974] I.R. 284, 19 December 1973 �� 68 Ireland, High Court, Schrems v. Data Protection Commissioner, [2014] IEHC 310, 18 June 2014 �� 66, 67 Poland, Administrative Court in Warsaw (Wojewódzki Sąd Administracyjny w Warszawie), Helsinki Foundation for Human Rights v. ABW, II SA/Wa 710/14, 24 June 2014 �� 68 Poland, Constitutional Court (Trybunał Konstytucyjny), K 23/11, 30 July 2014 �� 24 Slovenia, Constitutional Court (Ustavno sodišče), No. U-I-45/08-21, 8 January 2009 �� 20 The Netherlands, Hague District Court (Rechtbank Den Haag), ECLI:NL:RBDHA:2014:8966, 23 July 2014 �� 64 The Netherlands, Hague District Court (Rechtbank Den Haag), ECLI:NL:RBSGR:2011:BP4872, 16 February 2011 �� 64 United Kingdom, Investigatory Powers Tribunal, Liberty & Others v. the Security Service, SIS, GCHQ, IPT/13/77/H, 6 February 2015 �� 24, 69 United Kingdom, Investigatory Powers Tribunal, Liberty & Others v. the Security Service, SIS, GCHQ, IPT/13/77/H, 5 December 2014 �� 24, 56, 69

Legal instruments index

Council of Europe Council of Europe, Additional Protocol to the Convention for the protection of individuals with regard to automatic processing of personal data regarding supervisory authorities and transborder data flows, CETS No. 181, 8 November 2001, pp. 1-4. �� 11, 47 Council of Europe, Convention for the protection of individuals with regard to automatic processing of personal data, CETS No. 108, 28 January 1981, pp. 1-10. �� 11, 47 European Union Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, OJ 2008 L 350, 30 December 2008, pp. 60–71 �� 10 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ 2002 L 201, 31 July 2002, pp. 37–47 �� 10, 11, 25, 47 European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281, 23 November 1995, pp. 31-50. �� 10, 11, 46, 47, 61

87 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

National legislation Austria, Data Protection Act 2000 (Datenschutzgesetz 2000 – DSG 2000), BGBl. I. Nr. 165/1999, as amended �� 64 Austria, Police Powers Act (Sicherheitspolizeigesetz), BGBl Nr. 662/1992, 28 October 1992, as amended �� 43, 53, 64 Austria, Rule of Procedure Act 1975 (Geschäftsordnungsgesetz 1975), 4 July 1975, as amended �� 36, 39, 40, 41 Austria, State Security Bill (Entwurf Polizeiliches Staatsschutzgesetz – PStSG), 1 July 2015 �� 18, 53 Belgium, Act on the Special Intelligence Methods used by the Intelligence and Security Services (Loi relative aux méthodes de recueil des données par les services de renseignement et de sécurité), 4 February 2010 �� 63, 69 Belgium, Data Protection Act (Loi relative à la protection de la vie privée à l’égard des traitements de données à caractère personnel), 1 April 1993, as amended �� 48 Belgium, Law on the Intelligence and Security Services (Loi organique des services de renseignement et de sécurité), 18 December 1998 �� 43 Belgium, Organic Law on the control of police and intelligence services and the Coordination Unit for Threat Assessment (Loi organique du contrôle des services de police et de renseignement et de l’Organe de coordination pour l’analyse de la menace), 18 July 1991 �� 35, 43 Belgium, Rules of Procedure of the Chamber of Representatives (Règlement de la Chambre des représentants), 2 October 2003, as amended �� 39 Bulgaria, Special Intelligence Means Act (Закон за специалните разузнавателни средства), 21 October 1997 �� 43, 54, 63 Croatia, Act on the Security Intelligence System of the Republic of Croatia (Zakon o sigurnosno- obavještajnom sustavu Republike Hrvatske), Official Gazette Narodne( novine) Nos. 79/06 and 105/06, 30 June 2006 �� 32, 37, 39, 43, 63, 64 Croatia, Electronic Communications Act (Zakon o elektroničkim komunikacijama), Official Gazette (Narodne novine) Nos. 73/08, 90/11, 133/12, 80/13 and 71/14, 1 July 2008, as amended. �� 56 Cyprus, Draft Law of 2014 (Ο περί της Κυπριακής Υπηρεσίας Πληροφοριών (ΚΥΠ) Νόμος του 2014) submitted to the House of Representatives on 23 September 2014. �� 20 Cyprus, Law No. 138 [I] 2001 on the Processing of Personal Data (Ο Περί της Επεξεργασίας Δεδομένων Προσωπικού Χαρακτήρα (Προστασία του Ατόμου) Νόμος), as amended �� 47 Czech Republic, Security Information Service Act (Zákon o Bezpečnostní informační službě), 7 July 1994 �� 36, 62 Denmark, Act No. 602 of 12 June 2013 on the Danish Defence Intelligence Service Service (Lov nr. 602 af 12. juni 2013 om Forsvarets Efterretningstjeneste (FE)), 12 June 2013 �� 65 Denmark, Act No. 604 on the Danish Security and Intelligence Service as amended by Act. No. 1624 of 26 December 2013 (Lov nr. 604 af 12. juni 2013 om Politiets Efterretningstjeneste (PET), som ændret ved lov nr. 1624 af 26. december 2013), 12 June 2013 �� 20, 43 Denmark, Administration of Justice Act, Consolidated Act No. 1139, (Retsplejeloven, lovbekendtgørelse nr. 1139 af 24. september 2013), 24 September 2013 �� 20, 63, 65 Denmark, Bill No. 162 of 27 February 2013 on the Act amending the Act on the establishment of a Parliamentary Committee regarding FE and PET (Lovforslag nr. 162 af 27, februar 2013 om lov om ændring af lov om etablering af et udvalg of Forsvarets og Politiets Efterretningstjenester), 27 February 2013 �� 37 Estonia, Riigikogu Rules of Procedure and Internal Rules Act (Riigikogu kodu- ja töökorra seadus), 17 March 2003 �� 36 Estonia, Security Authorities Act (Julgeolekuasutuste seadus), 1 March 2001 �� 36, 37 France, Decree No. 2007-914 for application of article 30 of Law No. 78-17 relating to information technology, files and freedoms Décret( n°2007-914 pris pour l’application du I de l’article 30 de la loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés), 15 May 2007 �� 48 France, Decree No. 2014–833 on the Inspectorate of intelligence services (Décret n°2014–833 relatif à l’inspection des services de renseignement), 24 July 2014 �� 32 France, Decree on the composition of the National Commission of Control of the Intelligence Techniques (Décret relative à la composition de la Commission national de contrôle des techniques de renseignement), 1 October 2015. �� 23

88 Legal instruments index

France, Defence Code (Code de la Défense) �� 13, 32 France, Interior Security Code (Code de la sécurité intérieure) �� 24, 26, 31, 33, 44, 46, 53, 65, 66, 71 France, Law No. 78-17 of 6 January 1978 on information technology, data files and civil liberties (Loi n. 78‑17 du 6 Janvier 1978 relative à l’informatique, aux fichiers et aux libertés), 6 January 1978 �� 48 France, Law No. 2015–912 on intelligence (Loi n°2015–912 relative au relative au renseignement), 24 July 2015 �� 23, 26 France, National Assembly (Assemblée nationale), Bill on intelligence (Projet de loi relatif au renseignement), as adopted 25 June 2015 �� 21 France, National Assembly (Assemblée nationale), Bill on the surveillance of international electronic communications (proposition de loi relative aux mesures de surveillance des communications électroniques internationales), 1 October 2015. �� 21 France, National Assembly (Assemblée nationale), Law No. 2015–912 on intelligence (Loi n°2015–912 relative au relative au renseignement), 24 July 2015, Explanatory note (exposé des motifs), 19 March 2015. �� 23 France, Ordinance No. 58-1100 on the functioning of the parliamentary assemblies (Ordonnance n°58-1100 relative au fonctionnement des assemblées parlementaires), 17 November 1958, as amended �� 37, 38, 39 Germany, Act on Restricting the Privacy of Correspondence, Posts and Telecommunications (Article 10, G 10 Act) (Gesetz zur Beschränkung des Brief-, Post- und Fernmeldegeheimnisses (Artikel 10, Gesetz G 10)), 26 June 2001, as amended �� 21, 22, 26, 31, 33, 37, 44, 48, 55, 63, 64, 67, 69 Germany, Act on the Federal Intelligence Service (Gesetz über den Bundesnachrichtendienst), 20 December 1990, as amended �� 14, 21, 26, 33, 63 Germany, Code of Administrative Court Procedure, (Verwaltungsgerichtsordnung), 21 January 1960, as amended �� 66 Germany, Combating Crime Act (Verbrechensbekämpfungsgesetz), 28 October 1994 �� 22 Germany, Federal Act on the protection of the Constitution (Bundesverfassungsschutzgesetz), 20 December 1990, as amended �� 63 Germany, Federal Budget Order (Bundeshaushaltsordnung), 19 August 1969, as amended �� 37 Germany, Federal Data Protection Act (Bundesdatenschutzgesetz), 14 January 2003, as amended �� 48 Germany, Parliamentary Control Panel Act (Kontrollgremiumgesetz), 29 July 2009 �� 37, 40, 55 Greece, Act 2225/1994 on the protection of freedom of correspondence and communications and other provisions (Νόμος 2225/1994 για την προστασία της ελευθερίας της ανταπόκρισης και άλλες διατάξεις), 18 July 1994, as amended �� 20, 65 Greece, Data Protection Law 2472/1997 (Νόμος 2472/1997 για την προστασία του ατόμου από την επεξεργασία δεδομένων προσωπικού χαρακτήρα), 10 April 1997, as amended �� 47 Greece, Hellenic Constitution, (Σύνταγμα), 11 June 1975, as amended �� 44 Greece, Law 3115/2003 on the Hellenic Authority for Communication Security and Privacy (Eλληνική Αρχή Διασφάλισης του Απορρήτου των Επικοινωνιών), 27 February 2003 �� 44 Greece, Law 3649/2008, National Intelligence Service (EYP) and other provisions (Eθνική Υπηρεσία Πληροφοριών και άλλες διατάξεις), 3 March 2008 �� 54 Greece, Standing Orders of the Hellenic Parliament (Κανονισμός της Βουλής), 22/24 June 1987, as amended �� 37, 44 Hungary, Act CXI of 2011 on the Commissioner for Fundamental Rights (Az alapvető jogok biztosáról szóló 2011. Évi CXI. törvény), 26 July 2011 �� 74 Hungary, Act CIX of 2014 on the modification of Act CXXV of 1995 on the national security services and the modification of other Acts related to the national security control, 1 February 2015 �� 63 Hungary, Act CXXV of 1995 on the National Security Services (A nemzetbiztonsági szolgálatokról szóló 1995. Évi CXXV. törvény), 28 December 1995, as amended �� 35, 39, 53, 56 Ireland, Data Protection Act, 13 July 1988, as amended �� 48, 62 Ireland, Interception of Postal Packets and Telecommunications Messages (Regulation) Act, 6 June 1993 �� 53, 54, 68

89 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

Italy, Law No. 124/2007 on the Information System for the security of the Republic and new rules on State secrets (Sistema di informazione per la sicurezza della Repubblica e nuova disciplina del segreto), 3 August 2007 �� 21, 32, 37, 40 Latvia, Investigatory Operations Law (Operatīvās darbības likums), 16 December 1993 �� 47, 54, 62 Latvia, Law on State Security Institutions (Valsts drošības iestāžu likums), 19 May 1994 �� 36 Lithuania, Law of the Republic of Lithuania on Intelligence (Lietuvos Respublikos žvalgybos įstatymas), No. XI-2289, 17 October 2012, as amended �� 31, 37, 48, 74 Lithuania, Law on Legal Protection of Personal Data (Lietuvos Respublikos asmens duomenų teisinės apsaugos įstatymas), No. X-1444, 1 February 2008, as amended �� 48 Luxembourg, Act of 2 August 2002 on the protection of persons with regard to the processing of personal data (Loi du 2 août 2002 relative à la protection des personnes à l’égard du traitement des données à caractère personnel), 2 August 2002 �� 47 Luxembourg, Act of 15 June 2004 on the organisation of the State Intelligence Service (Loi du 15 juin 2004 portant organisation du Service de Renseignement de l’Etat), 15 June 2004, as amended �� 35, 39, 41 Luxembourg, Ministry of Justice (Ministère de la Justice), Criminal Investigation Code (Code d’Instruction Criminelle), as amended on 15 April 2015 �� 53 Malta, Data Protection Act, Chapter 440 of the Laws of Malta, 22 March 2002, as amended �� 62 Malta, Security Service Act, Chapter 391 of the Laws of Malta, 26 July 1996, as amended on 6 September 1996 �� 53, 71 Netherlands, Draft law on the Intelligence and Security Services 20XX (Concept-wetsvoorstel Wet op de inlichtingen- en veiligheidsdiensten 20XX), 02 July 2015 �� 18, 31, 45, 53 Netherlands, General Administrative Law Act (Algemene Wet Bestuursrecht), 4 June 1992 �� 70 Netherlands, Intelligence and Security Services Act 2002 (Wet op de inlichtingen- en veiligheidsdiensten 2002), 7 February 2002 �� 22, 26, 33, 53, 55, 63, 70 Poland, Act on Central Anti-Corruption Bureau (Ustawa o Centralnym Biurze Antykorupcyjnym), 9 June 2006 �� 31 Poland, Data Protection Act 1997 (Ustawa o ochronie danych osobowych), 30 April 1998 �� 48 Poland, Resolution of the Polish Sejm on Polish Sejm Rules of Procedure (Uchwała Sejmu Rzeczypospolitej Polskiej Regulamin Sejmu Rzeczypospolitej Polskiej), 30 July 1992 �� 36 Portugal, Framework Law 30/84 on the Intelligence System of the Portuguese Republic (Lei Quadro do Sistema de Informações da República Portuguesa), 5 September 1984, as amended �� 32, 44 Portugal, Organic Law 4/2004 of 6th of November amending the Framework Law of the Information System of the Portuguese Republic (Lei Orgânica No. 4/2004 de 6 de Novembro Altera a Lei Quadro do Sistema de Informações da República Portuguesa), 6 November 2004 �� 65 Romania, Decision No. 8/1994 of the Romanian Chamber of Deputies concerning the regulation for the functioning of the Chamber of Deputies (Hotărârea nr. 8/1994 privind Regulamentul Camerei Deputaţilor), 24 February 1994 �� 35 Romania, Decision No. 30/1993 of the Romanian Parliament concerning the organization and functioning of The Joint Permanent Commission of the Senate and the Chamber of Deputies for the Exercise of Parliamentary Control over the activity of the Romanian Intelligence Service (Hotararea nr. 30/1993 a Parlamentului Romaniei privind organizarea şi funcţionarea Comisiei comune permanente a Camerei Deputaţilor şi Senatului pentru exercitarea controlului parlamentar asupra activităţii Serviciului Roman de Informaţii), 23 June 1993 �� 35 Romania, Decision No. 28/2005 of the Romanian Senate concerning the regulation for the functioning of the Romanian Senate (Hotărârea nr. 28/2005 privind Regulamentul Senatului), 24 October 2005 �� 35 Romania, Law No. 51/1991 concerning the national security of Romania (Legea nr. 51/1991 privind securitatea nationala a Romaniei), 29 July 1991 �� 54, 63 Romania, Law No. 1/1998 concerning the organisation and functioning of the External Intelligence Service (Legea nr. 1/1998 privind organizarea si functionarea Serviciului de Informatii Externe), 6 January 1998 �� 35 Slovenia, Classified Information Act (Zakon o tajnih podatkih), 25 October 2001 �� 40 Slovenia, Human Rights Ombudsman Act (Zakon o varuhu človekovih pravic), 20 December 1993 �� 74

90 Legal instruments index

Slovenia, Intelligence and Security Agency Act (Zakon o Slovenski obveščevalno-varnostni agenciji, ZSOVA), 7 April 1999 �� 20, 32, 53 Slovenia, Parliamentary Supervision of the Intelligence and Security Services Act (Zakon o parlamentarnem nadzoru obveščevalnih in varnostnih služb), 26 February 2003 �� 37 Spain, Act 11/1995 regulating the use and control of secret funds (Ley 11/1995, de 11 de mayo, reguladora de la utilización y control de los créditos destinados a gastos reservados), 11 May 1995 �� 39 Spain, Code of Criminal Procedure (Ley de Enjuiciamiento Criminal) �� 54 Spain, Organic Law Regulating a priori judicial control of the National Intelligence Centre (Ley Orgánica 2/2002 reguladora del control judicial previo del Centro Nacional de Inteligencia), 6 May 2002 �� 20, 54 Spain, National Intelligence Centre Act (Ley 11/2002 reguladora del Centro Nacional de Inteligencia), 6 May 2002 �� 20, 39 Sweden, Act on Processing of Personal Data in the National Defence Radio Establishment (2007:259) (Lag om behandling av personuppgifter i Försvaretsradioanstalts försvarsunderrättelse-och utvecklingsverksamhet (2007:259)), 10 May 2007 �� 30 Sweden, Act on Signals Defence Intelligence (2008:717) (Lag om signalspaning i försvarsunderrättelseverksamhet (2008:717)), 10 July 2008 �� 23, 26, 32, 46, 63, 65, 71 Sweden, Act on the Foreign Intelligence Court (2009:966) (Lagen om Försvarsunderrättelsedomstol (2009:966)), 15 October 2009 �� 46, 54, 55 Sweden, Government Bill 2006/07:46 Processing of Personal Data by the Armed Force and the National Defence Radio Establishment (Regeringens proposition 2006/07:46, Personuppgiftsbehandling hos Försvarsmakten och Försvarets radioanstalt) �� 23 Sweden, Regulation 2009:968 with instructions for the Foreign Intelligence Court (Förordning (2009:968) med instruktion för Försvarsunderrättelsedomstolen), 15 October 2009 �� 46, 55 United Kingdom, Intelligence Services Act 1994, 26 May 1994 �� 26 United Kingdom, Justice and Security Act 2013, 25 April 2013 �� 33, 38, 39, 40, 41, 45 United Kingdom, Parliamentary Commissioner Act 1967, 22 March 1967 �� 70 United Kingdom, Regulation of Investigatory Powers Act 2000, 1 August 2000 �� 23, 33, 45, 53, 55, 56, 68

Annex: Overview of security and intelligence services in the EU‑28

Civil (internal) Civil (external) Civil (internal and external) Military

AT Federal Agency for Military Intelligence Service/ State Protection Heeresnachrichtenamt (HNA) and Counter Terrorism/ Military Defence Agency/ Bundesamt für Heeresabwehramt (HAA) Verfassungsschutz und Terrorismusbekämpfung (BVT) (part of the police)

BE State Security/ Staatsveiligheid General Intelligence and /Sûreté de l’Etat (SV/SE) Security Service of the armed forces/ Algemene Dienst Inlichting en Veiligheid/ Service général du renseignement et de la sécurité des Forces armées (ADIV/SGR or SGRS)

BG State Agency for National Military information service Security / Държавна Агенция “Национална сигурност (SANS) State agency “Technical operations” / Държавна агенция „Технически операции (SATO)

CY Central Intelligence Service/ Κεντρική Υπηρεσία Πληροφορικών (ΚΥΠ)

CZ Security Information Office for Foreign Relations Military Intelligence / Service/Bezpečnostní and Information/Úřad Vojenské zpravodajství (VZ) informační služba (BIS) pro zahraniční styky a informace (ÚZSI)

DE Federal Office for the protection Federal Intelligence Service/ Military Counter-Intelligence of the Constitution/ Bundesamt Bundesnachrichtendienst (BND) Service/Militärischer für Verfassungsschutz (BfV) Abschirmdienst (MAD)

DK Danish Security and Danish Defence Intelligence Intelligence Service/Politiets Service/Forsvarets Efterretningstjeneste (PET) Efterretningstjeneste (FE) (part of the police)

EE Estonian Internal Information Board/ Military Intelligence Security Service/ Teabeamet (TA) Branch of the Estonian Kaitsepolitseiamet (KAPO) Defense Forces/Kaitseväe peastaabi luureosakond

EL National Intelligence Directorate of Military Service/ Εθνική Υπηρεσία Intelligence of the National Πληροφοριών (EYP) Defence General Staff/ Διεύθυνση Στρατιωτικών Πληροφοριών του Γενικού Επιτελείου Εθνικής Άμυνας

ES National Center for the National Intelligence Intelligence Centre of the Protection of Critical Centre/Centro Nacional Armed Forces/ Centro de Infrastructures /Centro de Inteligencia (CNI) Inteligencia de las Fuerzas Nacional de Protección de Intelligence Centre on Armadas (CIFAS) Infraestructuras Críticas (CNPIC) Organised Crime and Terrorism/ Centro de Inteligencia Contra el Terrorismo y el Crimen Organizado (CITCO)

93 Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU

Civil (internal) Civil (external) Civil (internal and external) Military

FI Finnish Security Intelligence Finnish Defence Intelligence Service/Suojelupoliisi/ Agency/ Tiedustelulaitos/ Skyddspolisen (SUPO) underrättelsetjänst (FDIA) (service belonging to the police)

FR Directorate General of Interior Directorate General Directorate of Military Security/ Direction générale de of External Security/ Intelligence/ Direction du la sécurité intérieure (DGSI) Direction de la sécurité renseignement militaire (DRM) extérieure (DGSE)

HR Security Intelligence Agency/ Military Security Intelligence Sigurnosno-obavještajna Agency/Vojna sigurnosno- agencija (SOA) obavještajna agencija (VSOA)

HU Constitution Protection Office/ Information Office/ Military National Alkotmányvédelmi Hivatal Információs Hivatal (MKIH) Security Service/ Special Service for National Katonai Nemzetbiztonsági Security/ Nemzetbiztonsági Szolgálat (KFH) Szakszolgálat (NBSZ) Counter Terrorism Centre/ Terrorelhárítási Központ (TEK) (service belonging to the police)

IE (Garda Síochána National Directorate of Intelligence (G2) Surveillance Unit (NSU) – belonging to the police)

IT Information and Internal Information and External Department information Security Agency/ Agenzia Security Agency/Agenzia and security/Reparto informazioni e sicurezza informazioni e sicurezza informazioni e sicurezza (RIS) interna (AISI) esterna (AISE)

LT State Security Department/ Second Investigation Valstybės Saugumo Department under the Departamentas (VSD) Ministry of National Defence /Antrasis operatyvinių tarnybų departamentas prie Krašto apsaugos ministerijos (AOTD prie KAM)

LU State Intelligence Service/ Service de renseignement de l’état (SREL)

LV Security Police/ Drošības policija Constitutional Protection Military Intelligence and Bureau/ Satversmes Security Service/ Militārās aizsardzības birojs (SAB) izlūkošanas un drošības dienests (MISS)

MT Security Service

NL General Intelligence Military Intelligence and Security Service/ and Security Service/ Algemene Inlichtingen- en Militaire Inlichtingen- en Veiligheidsdienst (AIVD) Veiligheidsdienst (MIVD)

PL Internal Security Agency/ Foreign Intelligence Agency Military Counter-intelligence Agencja Bezpieczeństwa /Agencja Wywiadu (AW) Service/Służba Kontrwywiadu Wewnętrznego (ABW) Wojskowego (SKW) Central Anti–Corruption Military Intelligence Bureau/Centralne Biuro Service/Służba Wywiadu Antykorupcyjne (CBA) Wojskowego (SWW)

PT Service of Security Intelligence/ Service of Strategic Serviço de Informações Intelligence and Defense/ de Segurança (SIS) Serviço de Informações Estratégicas e de Defesa (SIED)

94 Annex: Overview of security and intelligence services in the EU‑28

Civil (internal) Civil (external) Civil (internal and external) Military

RO Romanian Intelligence External Intelligence Defense General Directorate Service/ Serviciul Roman Service/ Serviciul de for Information/ Direcţia de Informatii (SRI) Informaţii Externe (SIE) Generală de Informaţii Department for Information a Apărării (DGIA) and Internal Protection/ Departamentul de Informaţii şi Protecţie Internă (DIPI)

SE Security Service/ Defence Radio Establishment/ Military Intelligence Säkerhetspolisen, (SÄPO) Försvarets Radio Anstalt (FRA) Agency/Militära underrättelsetjänsten (MUST)

SI Slovene Intelligence and Intelligence and Security Security Agency/ Slovenska Service of the Ministry of obveščevalno-varnostna Defence/ Obveščevalno- agencija (SOVA) varnostna služba Ministrstva Republike Slovenije za obrambo (OVS MORS)

SK National Security Authority/ Slovak Information Millitary Intelligence/ Národný bezpečnostný Service/Slovenská Vojenské spravodajstvo (VS) úrad (NBÚ) informačná služba (SIS)

UK British Security Secret Intelligence Defence Intelligence (DI) Service (BSS) or MI5 Service (SIS) or MI6 Government Communications Headquarters (GCHQ)

A summary of the report’s key findings is available on the FRA website at http://fra.europa.eu/en/publication/2015/surveillance-intelligence-services-summary. The summary will be available in all EU languages as of January 2016.

HELPING TO MAKE FUNDAMENTAL RIGHTS FREEDOMS A REALITY FOR EVERYONE IN THE EUROPEAN UNION

Surveillance by intelligence services: fundamental rights safeguards and remedies in the European Union Summary

Article 7 of the Charter of Fundamental “Such mass, indiscriminate surveillance is inherently Rights of the European Union guarantees disproportionate and constitutes an unwarranted all individuals in the European Union (EU) interference with the rights guaranteed by Articles 7 and 8 the respect for private and family life, while of the Charter.” Article 8 guarantees the right to the protection (CJEU, C-362/14, Maximillian Schrems v. Data Protection of their personal data. It requires that such Commissioner, Advocate General’s Opinion, 23 September 2015) data be processed fairly for specifi c purposes, and secures each person’s right of access to The revelations triggered an array of reactions. In the his or her personal data, as well as the right intelligence community, particularly among special- to have such data rectifi ed. It also stipulates ised bodies responsible for overseeing intelligence that an independent authority must regulate services, dedicated inquiries and special reports on compliance with this right. Article 47 secures the Snowden relevations further scrutinised their the right to an effective remedy, including implications. The EU institutions reacted strongly. a fair and public hearing within a reasonable The European Commission, the Council of the Euro- timeframe. pean Union and the European Parliament all reported on the revelations, expressed concern about mass When media worldwide began to publish the surveillance programmes, sought clarifi cation from ‘Snowden documents’ in June 2013, it brought to United States’ authorities, and worked on “rebuilding light the existence of extensive global surveillance trust” in US–EU relations. Although it is too early to programmes by intelligence services. The Snowden assess the full impact of the Snowden revelations, revelations were not the fi rst to hint at programmes post-Snowden inquiries in some EU Member States of large-scale communication surveillance set-up concluded that their current national legal frame- in the aftermath of the 11 September 2001 attacks. works require reforming. This was further underlined The sheer magnitude of these revelations, how- by the European Parliament Resolution of March ever, remains unprecedented, potentially affecting 2014 on the United States NSA surveillance pro- people’s privacy around the world. Surveillance no gramme, surveillance bodies in various Member longer merely targets state or business secrets, but States and their impact on EU citizens’ fundamental allows for the interception of people’s communica- rights and on transatlantic cooperation in Justice and tions on a large scale. This interferes both with the Home Affairs (2013/2188(INI), P7_TA (2014)0230), respect for private and family life of individuals and launching a European Digital Habeas Corpus. with the right to privacy and data protection – both safeguarded at EU level by the Charter of Funda- “The Snowden revelations gave us a chance to react. I hope mental Rights of the European Union (the Charter). we will turn those reactions into something positive and As such, the EU and its Member States have an obli- lasting into the next mandate of this Parliament, a data gation to protect these, including in the context of protection bill of rights that we can all be proud of.” surveillance, and to provide victims with remedies (Claude Moraes, MEP, Rapporteur in the NSA EP inquiry, Press to challenge unlawful surveillance. release, 12 March 2014)

HOW TO OBTAIN EU PUBLICATIONS

Free publications: • one copy: via EU Bookshop (http://bookshop.europa.eu); • more than one copy or posters/maps: from the European Union’s representations (http://ec.europa.eu/represent_en.htm); from the delegations in non-EU countries (http://eeas.europa.eu/delegations/index_en.htm); by contacting the Europe Direct service (http://europa.eu/europedirect/index_en.htm) or calling 00 800 6 7 8 9 10 11 (freephone number from anywhere in the EU) (*).

(*) The information given is free, as are most calls (though some operators, phone boxes or hotels may charge you).

Priced publications: • via EU Bookshop (http://bookshop.europa.eu). FRA Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU doi:10.2811/009038 TK-04-16-020-EN-N 4-4 009038 doi:10.2811/ ISBN 978-92-9491-22

facebook.com/fundamentalrights linkedin.com/company/eu-fundamental-rights-agency twitter.com/EURightsAgency FRA - EUROPEAN UNION AGENCY FOR FUNDAMENTAL RIGHTS FOR FUNDAMENTAL UNION AGENCY FRA - EUROPEAN Vienna – Austria 11 – 1040 Schwarzenbergplatz +43 158030-0 +43 158030-699 – Fax Tel. – [email protected] fra.europa.eu to challenge such intelligence activity. By demonstrating the complex considerations involved, this report underscores underscores report this involved, considerations complex the demonstrating By activity. intelligence such challenge to difficult how it can to be address oftenwhat are seencompeting as priorities, contributesand continuingto the debate on best to how reconcile them. Thisreport, drafted in response theto EuropeanParliament’s call forthorough on research fundamental rights protection in the context surveillance, of maps and analyses the legal frameworks on surveillance in place in EU Member States. Focusing on so-called it also surveillance’, details ‘mass oversight mechanisms introduced across the outlines EU, the workentities of tasked with overseeing surveillance efforts, and presents the remedies available individuals to seeking national security protection. TheSnowden revelations, which extensive uncovered and indiscriminate surveillance efforts worldwide, made clear that enhanced safeguards these of rights needed. are Protecting the public from security threats and safeguarding fundamental rights involves a delicate balance. Brutal terror attacks and technological innovations making possible large-scale communications data monitoring furtherhave complicated triggering the matter, concerns about violations the of rights privacy to and data protection in the name of HELPING TO MAKE FUNDAMENTAL RIGHTS A REALITY FOR EVERYONE IN THE EUROPEAN UNION IN THE EUROPEAN A REALITY RIGHTS FOR EVERYONE MAKE FUNDAMENTAL HELPING TO